"Why, sometimes I've believed as many as six impossible things before breakfast."
-- The Red Queen, Lewis Carroll's "Through the Looking Glass," 1872
As I was pleased to address today for Bloomberg, the American audit regulator is at it again:
The Public Company Accounting Oversight Board is promoting a flawed plan to escalate the responsibility of auditors for their clients’ noncompliance with laws and regulations, called NOCLAR. As proposed, the auditors’ duties would be new, expanded, and impossible to fulfill.
For context, current standards recognize that “whether an act is, in fact, illegal is a determination that is normally beyond the auditor’s professional competence.” Reflecting reality, the standards have provided since 1988 that an audit normally “does not include audit procedures specifically designed to detect illegal acts.”
The PCAOB’s draft rules would both raise the bar and obscure its height. On top of the standard for fraud detection (AS 23401), auditors would:
- “Identify the laws and regulations with which noncompliance could reasonably have a material effect”
- “Assess and respond to risks of material misstatement” caused by “noncompliance with those laws and regulations”
- “Identify whether there is information indicating noncompliance with those laws and regulations has or may have occurred”
Supporters of the proposal include PCAOB chair Erica Williams, who said, “We’ve seen far too many examples of investors getting hurt due to noncompliance with laws and regulations. And we’ve heard calls from investors for auditors to live up to their responsibilities. It’s time we answer those calls.”
The new standard “is a great step forward for auditor responsibility and empowerment, and for the protection of investors and the markets,” board member Kara Stein said.
However, opposition from corporate America and the large and small accounting firms on whom the burden will fall comprised the bulk of the now 137 comment letters posted to date. The comment period ended in August.
PCAOB member Duane DesParte, one of the two dissenters on the five-member board, said the “expanded scope raises concerns when coupled with the additional proposed requirement for auditors to ‘plan and perform procedures to identify whether there is information indicating noncompliance.’”
The lines of disagreement are drawn with a sharp and simple reason to be wary: The Big Audit model isn’t designed to meet the proposal’s expectations or to bear its consequences.
The only meaningful assessment of auditor performance is in the small number of cases that “go wrong,” with the inevitable question—"Where were the auditors?”—tested in the litigation or regulatory actions that arise with serious corporate malfeasance.
NOCLAR reporting has challenged audit practices for decades. In the courtroom, the plaintiffs’ script follows a crisp and successful template: The “audit plan” was incomplete or inadequate - the auditor’s “search” was insufficient to catch the illegality at issue - even assuming thorough planning and search, the auditors failed to identify and mitigate this particular wrongdoing.
The auditors’ defense is that as non-lawyers who aren’t trained in substance or procedure of criminal law, they were fooled by the concealed criminality of their malfeasant clients—no less than general participants in the capital markets.
DesParte flagged what would be a changed and more threatening environment: “While the proposal focuses the auditor on those ‘laws and regulations with which noncompliance could reasonably have a material effect on the financial statements,’ the filtering threshold of ‘reasonably could’ is not adequately explained in the proposal and is not addressed elsewhere in PCAOB standards.”
Under the proposed standard, the plaintiffs’ updated playbook would argue that a particular illegality or noncompliance should have been identified as material and that indicators of noncompliance that may have occurred were overlooked.
Translating DesParte’s diplomacy into the ruder language of litigation exposure - if anything, the proposed standard’s ambiguities and imprecision would mean that defense of the auditor’s work would become even more difficult, not less.
Compounding their difficulty, the auditors could expect little help from their clients’ in-house or outside counsel. The lawyers’ long-running protection of their privileged client communications (see the US Chamber of Commerce’s comment letter) enables a black hole in corporate reporting, by which the lawyers pretend to be unable to quantify their litigation and contingency assessments, while the auditors and information users pretend to believe them.
Going forward, the deserved scrutiny of the PCAOB’s proposal would compare the proposed standards with expectations under the old. A useful exercise would back-test recent examples. If the proposed standards had been in place, would there have been any difference in PwC’s audits of Colonial Bank? Or in Deloitte’s audits of Taylor Bean & Whitaker?
Those exposed illegalities may be the easy cases. What if the inquiry were more nuanced? Would KPMG’s procedures have differed in its audits of Silicon Valley Bank, where the question of legality still needs unpacking?
Or this: Verizon and AT&T recently have been sued in investor class actions over their failure to recognize the remediation costs of lead-clad cables, long since abandoned underground.
While no auditor’s risk assessment would wish exposure under both the environmental and securities laws, the auditors are flirting with the former—see the International Auditing and Assurance Standards Board’s advocacy of its proposed Global Sustainability Assurance Standard—while the scope of auditor diligence under the NOCLAR proposal is hardly likely to extend to ancient cables long buried and forgotten.
Comment letters on the proposal urged further public input, whether by task force, roundtables, or field testing. These might gracefully allow for reconsideration and retreat from the backward formulation of the PCAOB’s motivation, even as Williams contends the board’s majority is “simply making sure that the protection investors think they are getting today matches what the standard requires.”
That articulation should be concerning. A standard based on what one of the affected constituencies “thinks they’re getting” has it the wrong way around, even if the auditors are too delicate to say forthrightly, “we can’t” or too timorous to step up with “we won’t.”
For the sake of its credibility as it strives to show its value, the PCAOB should demonstrate better diligence over a proposal with potential for such dramatic unintended consequences.
Originally published at Bloomberg Tax Insights & Commentary, September 8, 2023, and reproduced with permission. Copyright 2023 Bloomberg Industry Group, Inc. (800-372-1033) www.bloombergindustry.com.
Alert for readers here, although too late to footnote in the Bloomberg version: on September 1, Francine McKenna provided a fulsome tour of the history of company reporting for litigation and other contingencies on her substack, The Dig -- both a helpful primer for new arrivals to the NOCLAR topic and a useful reminder for veterans of the long and tortured relationship between auditors and lawyers.
Thanks for joining this dialog. Please share with friends and colleagues. Comments are invited and welcome, and subscription sign-up is easy and free, both at the Main page.