Dear SCCE & HCCA Members,

In June, the Public Company Accounting Oversight Board (PCAOB) proposed changes to its auditing standards relating to compliance. Members should be aware of these important changes. We encourage you to submit comments on the proposed changes to the PCAOB before the comment period closes on August 7.

Most of the proposal serves to modernize a compliance-related standard that has not been changed since 1988 and to make related changes to a standard on the procedures auditors perform to assess the risk of a company’s financial statements being misstated:

AS 2405 A Company’s Noncompliance with Laws and Regulations (formerly Illegal Acts by Clients)
AS 2110 Identifying and Assessing Risks of Material Misstatement

The changes are mostly quite positive and PCAOB should be commended for them, but there are a few areas where further changes should be made. Keep in mind that while PCAOB standards only apply to audits of public companies, the standards applicable to all other audits often change to remain in sync with the PCAOB standards.

First the good news. The proposed revisions place the risk of noncompliance on par with long-established standards pertaining to assessing the risk of fraud. Auditors will now be expected to assess how noncompliance could affect a company’s financial statements using similar procedures that are utilized to assess whether fraud exists that could impact the financial statements. Keep in mind that the role of auditors is limited to matters that could affect the financial statements.

The proposed standards also elevate the visibility and importance of compliance and ethics programs, as auditors will be expected to make inquiries about compliance risk assessments, whistleblower hotlines, and compliance programs (in particular, see the proposed changes to AS 2110.26 and new AS 2405.06). This added attention is a good thing and may even help to raise awareness of the importance of compliance programs at the board and senior management level.

But there are two areas where the standards should be strengthened further, and this is where I’d like to direct your attention in connection with submitting your comments to the PCAOB:

At various points throughout the standards, auditors are directed to make inquiries about compliance with the audit committee, management, the internal audit function (see AS 2405.06a), and in-house legal counsel (see AS 2110.57d). But nowhere does it require auditors to speak with the person in charge of compliance. A critical step in drawing important conclusions about the compliance program’s ability to prevent, identify and investigate compliance issues should involve speaking with the person(s) who has direct responsibility for the program. The standard (AS 2110.57) refers to making inquiries of “others” likely to have knowledge about instances of noncompliance. Why not require auditors to make this inquiry with the head of compliance? Who is best suited to discuss the state of compliance – hopefully it’s the chief compliance officer.

In one section of the standards (AS 2110.56c), PCAOB begins a requirement with “If the company has an internal audit function,…..”. Similar language could be used with respect to this inquiry of the chief compliance officer.

The two most important places in the proposed standards where this inquiry of the chief compliance officer should be addressed are in AS 2405.06a.(3) and AS 2110.57.

Secondly, on a related matter, the proposed standard’s guidance on inquiries of the audit committee (See AS 2110.56b(5)) states that auditors should ask about how the committee exercises oversight of the fraud risk assessment process, but it does not ask about compliance risk oversight. As we all know, an audit (or other) board-level committee should have responsibility for oversight of the compliance and ethics program. Accordingly, to adequately evaluate how a company manages compliance risk, auditors should ask the audit committee about its oversight of the compliance and ethics program, too.

The long and short of it is that the proposed revisions place an appropriate level of attention on learning about a company’s compliance and ethics program. But they do so without ever requiring the auditors to communicate directly with the chief compliance officer. While many auditors already do his as a matter of practice, this should be explicitly stated in the standards, so that auditors receive the most accurate information from the correct source.

For a complete copy of the proposed standards, go to:

https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket-051/pcaob-release-no.-2023-003---noclar.pdf?sfvrsn=fe43e8a_2

Note that the first 96 pages of this 146-page document are background and explanatory information. The text of the proposed standards begins in Appendix 1.


Instructions and a direct link to submit your comments can be found here (note that your comments should reference Docket 051):

https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/open-for-public-comment

Your help in elevating the importance of our profession is critical to its success. We’ll be submitting a comment letter on behalf of SCCE & HCCA. But your additional support is important so that the voice of the compliance and ethics profession is heard. Please read the proposed standard and submit your comments directly to PCAOB on or before August 7, 2023.

 

Best regards,

Gerry

 

Gerry Zack
CEO, SCCE & HCCA

Join our Social Network
Copyright © 2024 Health Care Compliance Association (HCCA). All rights reserved. All information provided through this site, including without limitation all information such as the "look and feel" of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms of Use and Privacy Statement.
Cookie settings