Statement on Proposed New Standard Regarding Noncompliance With Laws and Regulations

Remarks as prepared for delivery

Today, we are continuing to pursue our investor-protection mandate by proposing amendments to AS 2405 – currently titled Illegal Acts by Clients – and related standards.

A company’s noncompliance with laws and regulations, including fraud, can have devastating consequences for investors. When sanctions, fines, and civil settlements directly affect a company’s bottom line, or reputational damage causes a company’s stock value to decline, innocent investors pay a price.

Unfortunately, there are no shortage of examples. Well-publicized issues relating to Wells Fargo offer just one.

Last month, Wells Fargo agreed to pay $1 billion to settle a class-action lawsuit from investors alleging it made misleading statements about compliance with consent orders imposed by federal regulators.1

A lawyer for those investors underscored just who gets hurt when these incidents happen, saying the settlement would “help compensate hundreds of thousands of investors — state employees, nurses, teachers, police, firefighters and others — whose critical retirement savings were impacted by Wells Fargo's fraudulent business practices.2"

Those very same investors are who we are here to protect. And that’s what we are doing today with this proposal.

When an auditor signs an audit opinion on a company’s financial statements, they are signing their name to the fact that the financial statements “present fairly, in all material respects,” the company’s financial position and results of operations. Investors expect that all means all, including material respects impacted by noncompliance.

Unfortunately, the current standard on illegal acts fails to meet that expectation. In fact, it says an audit in accordance with PCAOB auditing standards does not include audit procedures specifically designed to detect all illegal acts that could have a material effect on the financial statements.3 Today, we are proposing to change that and ensure that the protection investors expect — the protection they deserve — matches the requirements in the standard.

The proposed standard, AS 2405, A Company’s Noncompliance with Laws and Regulations, strengthens the requirements for auditors to identify, evaluate, and communicate information that may indicate a company’s noncompliance with laws and regulations.

Identify

First, identify. The proposed standard requires the auditor to perform procedures to identify the laws and regulations with which noncompliance could reasonably have a material effect on the company’s financial statements during their initial risk assessment.

Consistent with performing risk assessment procedures, the proposed amendments would require the auditor to assess and respond to risks of material misstatement of the financial statements due to noncompliance with those laws and regulations, including identifying information indicating potential noncompliance. For example, the auditor would be required to inquire of management whether correspondence exists with the company’s relevant regulatory authorities regarding instances, or alleged or suspected instances, of fraud or other noncompliance with laws and regulations, and if so, the nature of that correspondence.

While the current standard could be interpreted to understand that the auditor has limited responsibilities with respect to noncompliance with certain laws and regulations unless they happen to stumble across the information, the new standard makes clear what investors already expect — that it is the auditor’s responsibility to proactively be on guard for all noncompliance that may have a material impact on the financial statements.

I want to be clear: this does not mean auditors are required to know every single law or regulation on the books. In fact, the proposal itself clearly states: “These laws and regulations would necessarily be relevant to the company or its operations but would not represent every law or regulation to which the company is subject.”

Other PCAOB standards already require auditors to have adequate technical training and proficiency to conduct an audit, which includes a basic understanding of a company’s regulatory environment. And the companies themselves know the laws and regulations they must follow, and which ones pose the greatest risks, because they have to include such risks to comply with certain disclosure requirements.

So, the laws and regulations for which noncompliance could reasonably have a material effect on a company’s financial statements are readily available to the auditor.

Evaluate

Next, evaluate. The proposed standard includes enhanced procedures related to how the auditor must evaluate information once they become aware that noncompliance with laws or regulations has or may have occurred.

Specifically, the proposed standard provides additional direction by requiring the auditor to consider whether specialized skill or knowledge is needed to assist the auditor as part of the evaluation.

The existing standard only requires the auditor to consult with legal counsel or other specialists if management does not provide satisfactory information that there has been no illegal act.4 The proposal includes the requirement for the auditor to consider whether specialized skill or knowledge is needed because legal counsel or other specialists can provide valuable assistance to the auditor’s evaluation.

Requiring auditors to contemplate whether use of experts is needed is a common practice across PCAOB standards, including when performing risk assessments, planning or performing audit procedures, and when evaluating audit results. So, this proposal is not requiring anything out of the ordinary for auditors.

Communicate

Finally, communicate. Problems can’t be fixed unless they are known.

The existing standard merely requires the auditor to communicate to the audit committee illegal acts that come to the auditor’s attention as soon as practicable and prior to the issuance of the auditor's report.5

The proposed standard enhances communication by requiring the auditor to communicate to the audit committee in at least two specific instances: first, upon becoming aware of information indicating that noncompliance has or may have occurred, and then again, after the auditor has evaluated such information.

This would provide greater interaction between the auditor and management and the audit committee, with the goal of encouraging companies to take quick action to come into compliance and reduce investor harm caused by legal and regulatory penalties.

Conclusion

The PCAOB has grappled with the need to strengthen AS 2405 for nearly two decades. I strongly believe that now is the time to move this standard forward and invite everyone to help us bring this long-overdue project to a conclusion for the benefit of investors. I look forward to the additional feedback we will receive during the comment period, and I encourage all to comment.

I would like to thank the individuals that have significantly contributed to this proposal. Specifically, I would like to thank in the Office of the Chief Auditor, Barb Vanich, Jessica Watts, Lisa Calandriello, Kevin Lombardi, and Michael Shimansky; in the Office of Economic and Risk Analysis, Mike Gurbutt, Tian Liang, Federico Garcia, and John Cook; in the Division of Enforcement and Investigations, Rebecca Mealey; and in the Office of General Counsel, James Cappoli, Connor Raso, and Michael Ungar.

I would also like to express my gratitude to my fellow Board members and their staff for their contributions to this proposal. In addition, I would like to recognize the support provided by staff from the Division of Registration and Inspections, the Division of Enforcement and Investigations, and the Office of Communications and Engagement.

Finally, I would like to thank the Securities and Exchange Commission’s staff, including the staff of the SEC’s Office of the Chief Accountant for their support and assistance.

The current standard was adopted by the PCAOB in April 2003 based on a standard issued by the Auditing Standards Board of the American Institute of Certified Public Accountants in 1988.6

In the 35 years since 1988, we’ve seen far too many examples of investors getting hurt due to noncompliance with laws and regulations. We’ve seen changes in federal securities laws.7 And we’ve heard calls from investors for auditors to live up to their responsibilities to ensure financial statements are presented fairly, in all material respects.

It’s time we answer those calls.

2 https://www.cbsnews.com/news/wells-fargo-1-billion-settlement-shareholder-lawsuit/.

3 See generally, paragraph .08 of AS 2405, Illegal Acts by Clients.

4 See AS 2405.10.

5 See AS 2405.17.

6 See Statement on Auditing Standards No. 54, Illegal Acts by Clients (Apr. 1988).

7 See Section 10A of the Exchange Act, Private Securities Litigation Reform Act of 1995, Pub. L. No. 104-67, 109 Stat. 737, § 301 (Dec. 22, 1995); see also the Sarbanes-Oxley Act of 2002, 15 U.S.C. § 7262.