Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Noncompliance with Laws and Regulations, Including Fraud: PCAOB Proposed Amendments

Potential areas for company risk focus

flag flying in front of capital building

KPMG Insights

The PCAOB proposed amendments to the auditing standards related to NOCLAR, which (if adopted and approved as proposed) would lead auditors to expect from their clients an array of demonstrable company risk preparedness, including:

  • Compliance & Investigation Programs: Need to assess/strengthen all programmatic areas of compliance, investigations, issues management, complaints management, etc.; overall corporate risk programs, as well as within/across “high-impact” regulatory programs; and enhancements related to the identification, sizing, communication (within/outside legal privilege), escalation, and overall control environment of potential noncompliance and fraud.
  • Compliance Risk Assessments: Need to assess/strengthen robustness of inherent and residual risk calculations to the law/rule/regulation-level with dynamic assessments, including consideration of areas such as complaints, investigations, self-identified issues, and monitoring/testing results for laws and regulations that may not be a current focus.
  • Regulatory Change: Need for full and dynamic inventory of applicable laws, rules, and regulations, mapped to business processes and controls, and utilized for ongoing compliance risk assessments (including inherent and residual risk).
  • Controls Expansion/Testing: Need to expand the build and conduct of ongoing controls, control mapping, control accountability and control testing to those over compliance with laws and regulations, in line with (and potentially part of) SOX and/or SOX-like standards.

 __________________________________________________________________________________________________________________________________________________

November 2023

The Public Company Accounting Oversight Board (PCAOB) issued proposed amendments to AS 2405, Illegal Acts by Clients (AS 2405) related to auditors’ responsibilities regarding a company’s noncompliance with laws and regulations (NOCLAR), including fraud (PCAOB Release No. 2023-003) in June 2023. The public comment period ended August 7, 2023, and in November 2023, the PCAOB published its 2024 agenda indicating that NOCLAR is on their “short-term” standard-setting project agenda, and adoption of final amendments is expected in 2024. Once adopted by the PCAOB, final amendments will be submitted to the Securities and Exchange Commission (SEC) for approval.

The proposed changes are intended to “protect investors from the resulting harm of noncompliance with laws and regulations when the effect of such noncompliance has a material effect on the financial statements” The proposal would add objectives including:

  • Identifying laws and regulations with which “noncompliance could reasonably have a material effect on the financial statements.”
  • Assessing “the risks of material misstatement of the financial statements due to noncompliance with those laws and regulations” and responding appropriately.
  • Identifying whether there are instances of NOCLAR that have or may have occurred.
  • Evaluating NOCLAR instances and associated communication to appropriate parties.

The proposed amendments are outlined in the tables below, along with key take-aways developed by KPMG:

Proposed Amendments

Key Take-Aways

Consider ‘noncompliance with laws and regulations,’ including fraud, instead of ‘illegal acts’.

Change in definition alone may not significantly affect practice.

Identify the laws and regulations with which noncompliance could reasonably have a material effect on the financial statements.

Incorporates a significant change from the current requirements, which focus audit efforts on those laws and regulations that have a direct and material effect on the financial statements.

Under the current standard, the auditor is not required to identify those laws and regulations that may indirectly affect the financial statements until they are determined to have a direct effect (e.g., through a material fine that needs to be recorded or a contingent obligation that needs to be disclosed). The proposal would require auditors to consider laws and regulations with which noncompliance could reasonably have either a direct or indirect material effect on the financial statements. The proposal uses noncompliance with environmental regulations that may result in material fines and penalties as an example with an indirect effect on the financial statements.

This change appears to require auditors to determine a complete population of laws and regulations to identify those that ‘could reasonably have a material effect on the financial statements’; however, the meaning of this phrase is not defined in the proposal. Instead, the proposal provides examples of laws and regulations that may be relevant because of potentially significant fines, penalties, or other damages to a company in the event of noncompliance. This may include laws and regulations in the areas of securities, environmental, privacy, and occupational health and safety, among others, and auditors and issuers would likely need to involve additional specialists with expertise in these areas.

Assess and respond to risks of material misstatement of the financial statements due to noncompliance with the identified laws and regulations.

Includes more explicit, unconditional requirements for assessing and responding to risks related to noncompliance compared to the current AS 2405 and ties the auditors’ responsibilities related to NOCLAR to the risk assessment concepts elsewhere in the auditing standards.

While current auditing standards encompass risks of material misstatement due to error or fraud, the current standards do not explicitly address risk of material misstatement due to NOCLAR. Also, the proposal would require the auditor to perform certain enhanced risk assessment procedures.

Plan and perform procedures to identify whether there is information indicating noncompliance with the identified laws and regulations has or may have occurred.

Incorporates a significant change from the current requirements, which require the auditor to plan and perform procedures responsive to those laws that have a direct and material effect and includes explicit procedures over the potentially large population of laws and regulations. The proposal would also remove existing language making it clear that currently auditors do not make legal judgments and often are not able to determine definitively that noncompliance has occurred. This change combined with the increase in the number of laws and regulations that are in scope for the audit could create an expectation that the audit will be providing some degree of assurance regarding the company’s compliance with laws and regulations.

Perform procedures to evaluate the possible effect of likely NOCLAR on the financial statements (including material misstatements) and on other information and assess management's remediation of such NOCLAR.

Adds to the procedures in the current AS 2405, including more specific consideration of involving specialists, evaluating the impact of likely NOCLAR on other information in documents containing audited financial statements (e.g., risk factors, MD&A and other sections of a 10-K), and assessing management’s remedial actions.

Communicate likely instances of NOCLAR to appropriate parties at appropriate times during the audit, regardless of whether the effect of the noncompliance is perceived to be material to the financial statements.

Incorporates management and audit committee communication requirements in Section 10A of the Securities Exchange Act of 1934 and would require communication at multiple points after a likely instance of NOCLAR has been identified.

The proposal would require initial communication to management and the audit committee when the auditor identifies or otherwise becomes aware of information indicating that noncompliance with laws and regulations has or may have occurred. It also would require a subsequent communication of whether an act was likely to be noncompliant after the auditor has evaluated whether it is likely noncompliance has occurred.


The PCAOB is also proposing to amend other auditing standards to better incorporate consideration of NOCLAR, including the following:

Proposed Amendments

Description

Risk assessment (AS 2110: Identifying and assessing risks of material misstatements): Obtaining an understanding of the relevant regulatory environment, management’s processes related to identifying relevant laws and regulations, and preventing or addressing instances of actual or suspected NOCLAR (including any financial statement effects, and making specific inquiries related to NOCLAR). 

Provides more specific requirements for the auditor to obtain an understanding of management’s process to:

  • Identify laws and regulations with which noncompliance could reasonably have a material effect on the financial statements.
  • Prevent, identify, investigate, evaluate, communicate, and remediate potential noncompliance.
  • Receive and respond to tips and complaints.
  • Evaluate potential accounting and disclosure implications.

Expands the specific sources of information used in risk assessment, including executive officers’ social media accounts.

Interim reviews (AS 4105: Reviews of Interim Financial Information): Clarifying the required interim procedures, including when likely NOCLAR may have occurred.

Unclear as to extent of evaluation needed, which could impact timing of completing an interim review.


As proposed, and discussed in the KPMG Insights above, the amendments would have short- and long-term impacts on functions outside of financial reporting, such as legal, compliance, and risk management processes (e.g., compliance and investigation programs, compliance risk assessments, regulatory change, controls build and testing).

Additional Reference Materials:

Dive into our thinking:

Noncompliance with Laws and Regulations, Including Fraud: PCAOB Proposed Amendments

Download PDF

Explore more

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline