Potential areas for company risk focus
KPMG Insights
The PCAOB proposed amendments to the auditing standards related to NOCLAR, which (if adopted and approved as proposed) would lead auditors to expect from their clients an array of demonstrable company risk preparedness, including:
__________________________________________________________________________________________________________________________________________________
November 2023
The Public Company Accounting Oversight Board (PCAOB) issued proposed amendments to AS 2405, Illegal Acts by Clients (AS 2405) related to auditors’ responsibilities regarding a company’s noncompliance with laws and regulations (NOCLAR), including fraud (PCAOB Release No. 2023-003) in June 2023. The public comment period ended August 7, 2023, and in November 2023, the PCAOB published its 2024 agenda indicating that NOCLAR is on their “short-term” standard-setting project agenda, and adoption of final amendments is expected in 2024. Once adopted by the PCAOB, final amendments will be submitted to the Securities and Exchange Commission (SEC) for approval.
The proposed changes are intended to “protect investors from the resulting harm of noncompliance with laws and regulations when the effect of such noncompliance has a material effect on the financial statements” The proposal would add objectives including:
The proposed amendments are outlined in the tables below, along with key take-aways developed by KPMG:
Proposed Amendments | Key Take-Aways |
---|---|
Consider ‘noncompliance with laws and regulations,’ including fraud, instead of ‘illegal acts’. | Change in definition alone may not significantly affect practice. |
Identify the laws and regulations with which noncompliance could reasonably have a material effect on the financial statements. | Incorporates a significant change from the current requirements, which focus audit efforts on those laws and regulations that have a direct and material effect on the financial statements. Under the current standard, the auditor is not required to identify those laws and regulations that may indirectly affect the financial statements until they are determined to have a direct effect (e.g., through a material fine that needs to be recorded or a contingent obligation that needs to be disclosed). The proposal would require auditors to consider laws and regulations with which noncompliance could reasonably have either a direct or indirect material effect on the financial statements. The proposal uses noncompliance with environmental regulations that may result in material fines and penalties as an example with an indirect effect on the financial statements. This change appears to require auditors to determine a complete population of laws and regulations to identify those that ‘could reasonably have a material effect on the financial statements’; however, the meaning of this phrase is not defined in the proposal. Instead, the proposal provides examples of laws and regulations that may be relevant because of potentially significant fines, penalties, or other damages to a company in the event of noncompliance. This may include laws and regulations in the areas of securities, environmental, privacy, and occupational health and safety, among others, and auditors and issuers would likely need to involve additional specialists with expertise in these areas. |
Assess and respond to risks of material misstatement of the financial statements due to noncompliance with the identified laws and regulations. | Includes more explicit, unconditional requirements for assessing and responding to risks related to noncompliance compared to the current AS 2405 and ties the auditors’ responsibilities related to NOCLAR to the risk assessment concepts elsewhere in the auditing standards. While current auditing standards encompass risks of material misstatement due to error or fraud, the current standards do not explicitly address risk of material misstatement due to NOCLAR. Also, the proposal would require the auditor to perform certain enhanced risk assessment procedures. |
Plan and perform procedures to identify whether there is information indicating noncompliance with the identified laws and regulations has or may have occurred. | Incorporates a significant change from the current requirements, which require the auditor to plan and perform procedures responsive to those laws that have a direct and material effect and includes explicit procedures over the potentially large population of laws and regulations. The proposal would also remove existing language making it clear that currently auditors do not make legal judgments and often are not able to determine definitively that noncompliance has occurred. This change combined with the increase in the number of laws and regulations that are in scope for the audit could create an expectation that the audit will be providing some degree of assurance regarding the company’s compliance with laws and regulations. |
Perform procedures to evaluate the possible effect of likely NOCLAR on the financial statements (including material misstatements) and on other information and assess management's remediation of such NOCLAR. | Adds to the procedures in the current AS 2405, including more specific consideration of involving specialists, evaluating the impact of likely NOCLAR on other information in documents containing audited financial statements (e.g., risk factors, MD&A and other sections of a 10-K), and assessing management’s remedial actions. |
Communicate likely instances of NOCLAR to appropriate parties at appropriate times during the audit, regardless of whether the effect of the noncompliance is perceived to be material to the financial statements. | Incorporates management and audit committee communication requirements in Section 10A of the Securities Exchange Act of 1934 and would require communication at multiple points after a likely instance of NOCLAR has been identified. The proposal would require initial communication to management and the audit committee when the auditor identifies or otherwise becomes aware of information indicating that noncompliance with laws and regulations has or may have occurred. It also would require a subsequent communication of whether an act was likely to be noncompliant after the auditor has evaluated whether it is likely noncompliance has occurred. |
The PCAOB is also proposing to amend other auditing standards to better incorporate consideration of NOCLAR, including the following:
Proposed Amendments | Description |
---|---|
Risk assessment (AS 2110: Identifying and assessing risks of material misstatements): Obtaining an understanding of the relevant regulatory environment, management’s processes related to identifying relevant laws and regulations, and preventing or addressing instances of actual or suspected NOCLAR (including any financial statement effects, and making specific inquiries related to NOCLAR). | Provides more specific requirements for the auditor to obtain an understanding of management’s process to:
Expands the specific sources of information used in risk assessment, including executive officers’ social media accounts. |
Interim reviews (AS 4105: Reviews of Interim Financial Information): Clarifying the required interim procedures, including when likely NOCLAR may have occurred. | Unclear as to extent of evaluation needed, which could impact timing of completing an interim review. |
As proposed, and discussed in the KPMG Insights above, the amendments would have short- and long-term impacts on functions outside of financial reporting, such as legal, compliance, and risk management processes (e.g., compliance and investigation programs, compliance risk assessments, regulatory change, controls build and testing).
Noncompliance with Laws and Regulations, Including Fraud: PCAOB Proposed Amendments
Download PDFPoints of View
Insights and analyses of emerging regulatory issues and their impact.
Regulatory Insights View
Series covering regulatory trends and emerging topics
Regulatory Alerts
Quick hitting summaries of specific regulatory developments and their impact.
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.