A PDF version of this publication is attached here: PCAOB proposes significant expansion of auditor responsibilities (PDF 163kb)
At a glance

The PCAOB has proposed rule changes related to an auditor’s consideration of a company’s noncompliance with laws and regulations, including fraud. The changes, if adopted, would impact the scope of the audit by significantly expanding the auditor’s objectives related to compliance beyond what has traditionally been addressed in a financial statement audit.
In its economic analysis, the Board acknowledges that the new requirements would result in additional, potentially substantial costs to auditors and the companies they audit.
The PCAOB is seeking feedback about, among other matters, whether the proposed requirements are sufficiently clear; whether the expansion of the auditor’s responsibilities is practical and cost effective to implement; the potential increased need for auditors to use specialists (and whether there are substantial costs associated with the increased need to use such specialists); and whether there are other alternatives that better promote investor protection, efficiency, competition, and capital formation. All stakeholders, including investors, board members, and preparers, should consider providing input to the PCAOB on the proposal. Comments are due August 7.

Overview of the proposal
On June 6, the PCAOB proposed amendments to its auditing standards related to a company’s noncompliance with laws and regulations (described hereafter as “noncompliance”). The proposed amendments would replace, amend, and rescind various existing requirements, including those relating to an auditor’s responsibilities to detect illegal acts (AS 2405, Illegal Acts).
The proposed changes were approved with a 3-2 vote, with the two board members who are certified public accountants voting against the proposal, expressing fundamental concerns about expanding the scope of the audit, the additional expertise that would be required, the significant cost impact, potentially requiring auditors to perform a management function, and other unintended consequences.
The new definition of noncompliance
The proposed definition of noncompliance with laws and regulations extends beyond the current definition of “illegal acts” and includes circumstances not previously addressed by the existing definition. The following is the proposed definition of “noncompliance with laws and regulations”:
An act or omission, intentional or unintentional, by the company whose financial statements are under audit, or by the company’s management, its employees, or others that act in a company capacity or on the company’s behalf, that violates any law, or any rule or regulation having the force of law. Noncompliance with laws and regulations includes fraud as described in paragraph .05 of AS 2401, Consideration of Fraud in a Financial Statement Audit. Noncompliance with laws and regulations does not include personal conduct by the company’s personnel unrelated to the business activities of the company.
This proposal also notes the definition of noncompliance with laws and regulations would also include all other fraud, including non-scienter fraud, which is fraud without intent or knowledge of wrongdoing.
Responsibilities for compliance
Companies, and their management, are responsible for compliance with laws and regulations. Companies are subject to a variety of legal and regulatory environments, driven in part by the nature of the products and services they provide, and the industry and geographic location in which they operate. Their compliance requirements are often expansive, and they may put in place various mechanisms to prevent and detect potential noncompliance. These include governance processes and internal controls beyond those that address financial reporting, which can be costly.
Noncompliance can also be costly. It may lead to sanctions, fines, and civil settlements and can also result in substantial financial damage to investors and reputational harm for companies. Legal advice, at times provided under attorney-client privilege, is often necessary to determine whether noncompliance has occurred and what the potential exposure is to the company, which could have collateral impacts on the financial statements.
The current scope of a financial statement audit
The auditor’s objective in a financial statement audit is to obtain reasonable assurance about, and opine on, whether the financial statements are free of material misstatement, whether due to error or fraud. Misstatements can arise from fraudulent financial reporting and misappropriation of assets. They can also arise when the effects of noncompliance, including fraud, are not properly recorded or disclosed in the financial statements.
Public accounting firms are often multi-disciplinary, offering forensic and other compliance-oriented services. The PCAOB’s proposal would require the incorporation of a broader set of these services into the scope of a financial statement audit.
Current auditing standards related to fraud are focused on audit procedures related to identifying and responding to fraud risks and communicating about fraud to management, the audit committee, and others. Current PCAOB standards related to noncompliance are focused on audit procedures related to those laws and regulations that have a direct and material effect on the determination of financial statement amounts — an approach that takes into account the following:
  • Illegal acts vary considerably in their relation to the financial statements — generally, the further removed an illegal act is from the events and transactions ordinarily reflected in financial statements, the less likely the auditor is to become aware of the act or to recognize its possible illegality.
  • The requirements for scoping a financial statement audit ordinarily do not provide a sufficient basis to identify possible violations of laws and regulations that relate more to a company’s operating aspects than to its financial and accounting aspects.
  • Whether an act is illegal is a determination that is normally beyond the auditor’s professional competence — one generally based on legal advice that may also have to await final determination by a disciplinary or administrative proceeding or civil or criminal action.

As explained in the auditing standards, an audit in accordance with PCAOB auditing standards does not include audit procedures specifically designed to detect illegal acts. The possibility of misstatements resulting from illegal acts having a direct and material effect on the financial statements, however, is considered in audit planning. Risk assessment procedures include inquiries of management, audit committees, and others about whistleblower programs. Certain laws and regulations may need particular auditor attention because they have a fundamental effect on the company’s operations (e.g., because they may cause the company to cease operations or call into question its ability to continue as a going concern).
The auditor is mindful of indications of potential noncompliance throughout the audit. They may come to the auditor’s attention when performing audit procedures, such as unexplained payments made to third parties or unusual transactions with companies registered in tax havens. The auditor’s work to test and evaluate the effectiveness of internal control over financial reporting may also identify instances of actual or suspected noncompliance, including fraud.
When auditors become aware of illegal acts or other potential noncompliance, PCAOB auditing standards and the illegal acts provisions of Section 10A of the Securities Exchange Act of 1934 for the audits of issuers require auditors to evaluate the effect of such noncompliance on the financial statements and discuss the matter with management and the audit committee (unless clearly inconsequential). Often, assessing the effects of illegal acts or noncompliance requires consultation with a company’s legal counsel and other specialists about the application of relevant laws and regulations to the circumstances.
Proposed changes to the auditor’s objectives
The Board’s proposed elimination of language in existing standards that “an audit made in accordance with PCAOB standards provides no assurance that illegal acts will be detected or that any contingent liabilities that may result will be disclosed” may be interpreted to suggest that audits are designed to provide reasonable — or even absolute — assurance that all noncompliance will be detected. Said differently, the proposed increase in auditor responsibilities could result in a shift in an auditor’s focus from whether the financial statements are materially misstated to identifying noncompliance, even when the potential impact of such noncompliance is immaterial.
As proposed, significant effort would be required in relation to new and enhanced requirements for the auditor to do the following:
  • Identify laws and regulations with which noncompliance could reasonably have a material effect on the financial statements (described hereafter as “relevant laws and regulations”) — which may go beyond what securities laws require management to do
  • Perform additional risk assessment procedures that address noncompliance with relevant laws and regulations, including understanding management’s processes related to noncompliance
  • Design and perform procedures aimed at identifying whether there is information indicating that noncompliance with relevant laws and regulations has or may have occurred
  • Understand the nature and circumstances of any noncompliance identified by the auditor or of which the auditor becomes aware, including fraud, regardless of whether the effect of such noncompliance is perceived to be material to the financial statements, and determine whether it is likely any such noncompliance occurred

The proposed changes to an auditor’s responsibilities are likely to result in an expansion of scope, effort, and — ultimately — cost for an audit, which the proposal notes “could be sizeable.” It also raises questions about the extent of legal expertise needed, the impact on attorney-client privilege, and the risk of the auditor being considered to be practicing law or being perceived as performing a management function.
Proposed changes to understanding management’s processes
Amendments to the PCAOB’s risk assessment standard (AS 2110) would provide more specific requirements designed to enhance the auditor’s understanding of the laws and regulations that govern the determination of the form and content of the financial statements, as well as other relevant laws and regulations that may have an indirect effect on the financial statements.
Specifically, given the expanded scope and objectives, auditors would be required to understand management’s risk assessment process related to the following:
  • Identifying relevant laws and regulations
  • Preventing, identifying, investigating, evaluating, communicating, and remediating instances, or alleged or suspected instances, of fraud and other noncompliance
  • Receiving and responding to tips and complaints from internal and external parties
  • Evaluating potential accounting and disclosure implications as a result of identified noncompliance

Under the PCAOB’s proposal, the auditor would be able to consider management’s process to identify relevant laws and regulations, but the auditor’s identification would not be limited to those laws and regulations identified by management.
Proposed expansion of the scope of laws and regulations considered by the auditor
Under the proposal, the auditor would be required to plan and perform procedures based on an understanding of management’s process, as explained above. The procedures would be designed to identify the laws and regulations with which noncompliance could reasonably have a material effect, whether direct or indirect, on the financial statements. The proposal provides limited guidance on how to assess matters that “could reasonably have a material effect on the financial statements” when the instance of noncompliance has an indirect effect on the financial statements. Rather, the proposal notes only that this assessment would include laws and regulations that “may relate to the operations of a company with which the company’s noncompliance could reasonably result in material penalties, fines, or damages to the company.”
In addition to securities laws, the proposal cites various categories of laws and regulations that may be considered to be relevant laws and regulations and therefore subject to auditor effort — for example, laws and regulations relating to the environment (including those that address greenhouse gas emissions), antitrust, Foreign Corrupt Practices Act, anti-money laundering, price-fixing, privacy, occupational health and safety, food and drug administration, employment, and consumer protection.
Historically, many of these laws and regulations have been viewed as related to a company’s operations, and noncompliance with them would have an indirect effect on a company’s financial reporting. Auditors would be required under the proposal to explicitly determine whether noncompliance with these types of laws would result in a risk of material misstatement, design appropriate audit procedures to respond to that risk, and evaluate any instances of noncompliance with these laws and regulations, even when the impact on the financial statements is unclear.
Enhancements to the auditor’s risk assessment requirements are also being proposed to incorporate the Board’s view that a company’s strategy to grow, modify, or discontinue business operations is a potential business risk that might result in material misstatement of the financial statements or indicate potential noncompliance with laws and regulations, such as climate regulations.
Proposed requirements for identifying and evaluating noncompliance
The auditor would specifically need to plan and perform procedures to identify whether there are instances of noncompliance with relevant laws and regulations, regardless of whether the effect of that noncompliance is “perceived to be” material to the financial statements. This may result in significant incremental effort as a result of the shift in the scope of the audit and in light of the many laws and regulations that may now be deemed relevant to audit procedures due to the potential effect of noncompliance on the financial statements.
The proposal also would require the auditor to assess noncompliance by agents of the company, requiring the auditor to understand the laws that determine when one party is acting as an agent of another party.
The proposal notes that management inquiry, by itself, would not provide sufficient evidence that all instances of noncompliance that could reasonably have a material effect on the financial statements have been identified and properly presented. Accordingly, auditors would likely need to understand management’s processes related to compliance with relevant laws and regulations and test relevant controls or perform additional substantive procedures designed for the purpose of identifying potential noncompliance.
When the auditor identifies or otherwise becomes aware of information indicating that noncompliance has or may have occurred, the proposal would require the auditor to obtain an understanding of the nature and circumstances of any such noncompliance — regardless of whether the effect of such noncompliance is perceived to be material to the financial statements — and determine whether it is likely that any such noncompliance occurred. In this regard, the proposal notes that auditors may need to retain specialists to assist the auditor to understand complex technical or legal information that could indicate whether noncompliance has occurred.
When instances of noncompliance are identified, management needs to have a process to evaluate the potential impact on the financial statements as well as other potential disclosure requirements, and may involve legal and other specialists in arriving at their conclusions. If there is a view that disclosures related to noncompliance have been insufficient, actions by the FASB and SEC may be necessary to enhance requirements for companies to disclose those matters in the financial statements or elsewhere in documents like the company’s periodic filings.
This collaborative approach would be consistent, for example, with the efforts taken by the SEC and PCAOB in making determinations about where auditors should concentrate their efforts on evaluating brokers’ and dealers’ internal control over compliance — resulting in a focus on financial responsibility rules, rather than all rules that apply to brokers and dealers. The proposal would undermine this targeted approach in audits of brokers and dealers that was developed through extensive consideration of risk, costs and benefits, and significantly expand the scope of the financial statement audit to all the applicable rules.
Other areas addressed by the proposal
The following are other elements included in the proposal:
  • More prescriptive risk assessment procedures to enable auditors to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement, including reading company-issued press releases, company-prepared presentation materials for analysts or investors, public statements that have been made by the company or its executive officers (including on social media), and information about the company issued by other sources external to the company (such as media reporting and analyst reports)
  • Expanded requirements to discuss whether management, audit committees, internal audit, or others at the company have knowledge of instances, or alleged or suspected instances, of noncompliance that could reasonably have a material effect on the financial statements
  • Expanded requirements to inquire of management about (1) controls that help to prevent and detect noncompliance, including how management monitors those controls and (2) whether correspondence exists with the company’s relevant regulatory authorities regarding instances or alleged or suspected instances of noncompliance
  • Additional obligations to communicate with management and audit committees when the auditor identifies or otherwise becomes aware of information indicating that noncompliance, including fraud, has or may have occurred
-   Under the proposal, the auditor would be required to make an initial communication to management and audit committees upon becoming aware of possible noncompliance, even when the auditor has not yet determined whether the noncompliance has or is likely to have occurred and the associated financial statement impacts. When the matter is “clearly inconsequential,” the auditor would not be required to do this initial communication with audit committees, but the auditor would continue to be required to make such communication to management. The proposed standard includes a note that any matters involving senior management are presumed not to be “clearly inconsequential.”
Economic analysis
The PCAOB believes improving auditing standards could protect investors from harm from noncompliance and enhance audit quality. It is important, however, that the merits of the proposed changes are sufficiently evaluated, with adequate consideration of the balance between anticipated benefits (namely increased investor protection) and anticipated costs. Significant changes in the auditor’s role with respect to noncompliance will result in incremental costs. In addition to increased costs of auditors, the proposal may result in significant cost to companies because they may need to enhance their compliance functions in light of the increased procedures an auditor will be expected to perform.
The Board’s economic analysis acknowledges the expectation of direct and indirect cost increases, noting the following:
Companies being audited may also incur costs related to the proposed amendments, both directly and indirectly. Companies could incur direct costs from engaging with or otherwise supporting the auditor performing the audit. For example, some companies could face costs of producing documents and responding to additional auditor requests related to the procedures required by the proposed amendments to AS 2110. To the extent that auditors incur higher costs to implement the proposed amendments and are able to pass on at least part of the increased costs through an increase in audit fees, companies could incur an indirect cost. Moreover, if a company takes remedial actions to improve its internal control over financial reporting as a result of the proposed amendments, additional costs may be incurred. Companies could also incur indirect costs as a result of the proposed standard insofar as a company might seek to mitigate the extent of substantive procedures that the proposed standard would require of its auditor by enhancing the company’s own processes and controls over its compliance with relevant laws and regulations.
Feedback from stakeholders on the economic analysis will be particularly relevant to the PCAOB as it moves forward.
To have a deeper discussion, contact:
Brian Croteau
US Chief Auditor
Email: brian.croteau@pwc.com
Tom Gaidimas

Email: thomas.gaidimas@pwc.com
Kathy Healy
Managing Director

Email: kathleen.k.healy@pwc.com
For more PwC accounting and reporting content, visit us at viewpoint.pwc.com. On the go? Take our podcast series with you at the Viewpoint podcasts page.
3 PCAOB Release No. 2023-003, page 77
4 PCAOB Release No. 2023-003, page 78
Expand Expand

Welcome to Viewpoint, the new platform that replaces Inform. Once you have viewed this piece of content, to ensure you can access the content most relevant to you, please confirm your territory.

signin option menu option suggested option contentmouse option displaycontent option contentpage option relatedlink option prevandafter option trending option searchicon option search option feedback option end slide