Boardroom: An Aggressive Action

The Non-compliance With Laws and Regulations (NOCLAR) proposal would require external audit firms to look more aggressively for compliance and legal violations at their client companies. When the audit firm does find potential violations, it would then need to report them to the board and management team more quickly, too.

Sounds reasonable and noble enough, right? If the audit firm brings compliance violations to the company’s attention, management would then need to address those concerns more quickly, and that benefits investors. What’s not to like about that idea? A lot, according to feedback the PCAOB received throughout the summer. Scores of comment letters arrived from audit committees, audit firms, compliance officers, governance activists, and many more corners of the corporate governance world. Divisions over the NOCLAR proposal run deep, touching on profound questions about the role of auditors in investor protection. 

One representative comment came from the Audit Committee Council, an association of corporate board directors that acts under the auspices of the Center for Audit Quality, a lobbying group for the audit industry. “We are concerned that the proposed amendments in the NOCLAR proposal are significantly broad in scope,” the council’s letter said. NOCLAR “tasks the auditor with responsibilities for which they do not have the expertise and will come at a significant cost without a commensurate benefit for what it seems the PCAOB is aiming to accomplish.” That’s quite the denunciation for something that sounds, at the abstract level, like a good governance idea. So, what’s really at stake here for auditors and audit committees that it’s provoking such fierce controversy? 

‘Auditors Are Not Lawyers’

The audit firms’ chief complaint is that the NOCLAR proposal would force them to act as lawyers, a task audit firms are not well-suited to do. Specifically, the proposal would require them to identify laws and regulations applicable to the company “and where non-compliance could have a material effect on the financial statements.”

Consider what that means. For auditors to identify the laws and regulations that might have a material effect on the company’s financial statements, they would first need to identify all the laws and regulations that apply to the company so they could pare down that list to whichever ones could have a material effect on the financials. That is a potentially enormous expansion of the auditor’s risk assessment, and many audit firms would likely need to consult with outside experts. Hence one common refrain among the NOCLAR critics: “Auditors are not lawyers.”

“Auditors do not have the level of expertise needed to complete the kind of expansive review … as would be required by the proposal,” wrote Kent Kresa, audit committee chair at NuScale Power Corp. “Auditors are not lawyers … additional costs will be imposed upon us by the proposed approach because public audit firms will seek to hire qualified audit, legal, and other specialized staff from the same sources as we do.”

The NOCLAR proposal also raises slippery questions about how external auditors would interact with internal auditors and corporate compliance teams. For example, the proposed standard would have external auditors ask the internal audit team whether it is aware of any potential compliance violations.

That’s a perilous question for internal audit. If the internal auditor doesn’t know of any violations, and the external auditor subsequently does find one and reports that to the audit committee, the internal auditor will look bad. Or if the internal auditor does know about a compliance or legal violation, is he or she just supposed to admit that to the external auditor? Because such a disclosure would most likely leave the general counsel or compliance officer incandescent with rage.

That brings us to two other lines of complaint about NOCLAR. First, corporate lawyers worry that the proposal could undermine attorney-client privilege. Corporate compliance officers, meanwhile, want the proposal amended so that external auditors would need to ask them about possible compliance risks, and have the auditor consult with the board’s committee that oversees the ethics and compliance program.

One such comment came from Douglas Currault, general counsel of mining giant Freeport-McMoRan. He worried that auditors might demand to see documents typically protected by attorney-client privilege — a privilege that vanishes when said information is disclosed to a third party. More broadly, oversight of a company’s compliance program is the purview of the board, the management team, and the general counsel, Currault wrote. The NOCLAR proposal would “require the auditor to independently determine noncompliance with laws and regulations … this could result in situations where the view of the auditor’s legal specialist conflicts with the company’s legal opinion.”

His comment reaches the crux of the issue: NOCLAR would drive external auditors to make independent assessments of the company’s compliance posture, something far outside the comfort zone of most boards and management teams. Is that appropriate? Does it leave audit committees stuck between management teams and auditors pitted against each other? How do internal audit and compliance teams fit into that more adversarial picture? 

The Argument in Favor of NOCLAR

The voices in favor of the NOCLAR proposal point out that existing standards for auditors and clients’ legal violations hail from the 1980s and need a makeover for modern times. Plus, federal securities law does require that when auditors come across evidence of an illegal act, they are first supposed to report that discovery to the audit committee, and ultimately to regulators if the board takes no action. So supporters say the NOCLAR proposal only clarifies and strengthens what auditors should already be doing anyway.

Jon Lukomnik, a long-time good-governance activist who served on the creditor committees after the WorldCom and Adelphia Communications scandals in the early 2000s, wrote to the PCAOB: “Those instances of noncompliance and the auditors’ failures to detect them earlier were direct motivations for the passage of the Sarbanes-Oxley law. … Clearly noncompliance was, and should still be, at the heart of investors’ and policymakers’ concerns around audit quality.”

Lukomnik gets to another central issue here: the range of corporate fraud that auditors should be looking for. Should auditors stick with their primary duty to find risk of material misstatement in the financial statements? Many compliance violations don’t result in the need to restate financials — but they can still inflict serious pain to investors in the form of depressed share price, regulatory settlements, higher costs, and management turnover. Shouldn’t someone be looking for those harms, too? Wouldn’t the auditor be a natural candidate for that job?

Those are the battle lines drawn by the PCAOB’s NOCLAR proposal. We don’t know when the PCAOB might issue a final standard (if at all) or how that final version might differ from the original proposal. But the debate to come is likely to be prolonged, profound, and contentious; the entire corporate governance community should pay attention.