Categories
Blog

PCAOB Proposed Rule on Compliance Audits

In the realm of auditors intersecting compliance and fraud risk audits, a fierce battle of perspectives rages on. Compliance professionals yearn for a bigger role, a seat at the table to tackle potential compliance violations. Yet, as the storm brews, the audit community hesitates, fearing the unfamiliar waters of becoming compliance and legal violation experts. Brace yourselves, for the unexpected outcome lies just beyond the horizon.

Compliance professionals are generally accepting of the idea that audit firms might look for compliance violations, as long as the proposal includes meeting with the chief ethics and compliance officer and reviewing the state of the compliance program with the audit committee. Many auditors do not want the additional responsibility, claiming it is outside their area of expertise and the requirement will increase audit costs.

Other trade and industry groups have weighed in as well. The American Bankers Association said in a letter “With respect to the legal function, auditors may be put into a position to second-guess a company’s own legal counsel regarding whether noncompliance may have occurred.  “With respect to the management function, the requirement that auditors perform ‘enhanced risk assessment procedures’ could result in auditors second-guessing how management allocates the company’s financial and human resources. This would not only blur responsibility between the legal, management and audit functions, but would also divert auditors’ time, attention and resources away from auditing financial statements.”

The group went on to note that  “Various federal and state regulatory authorities in the United States have a responsibility to examine, monitor and, where appropriate, bring enforcement actions against companies that do not adhere to laws and regulations. Moreover, given the many and varied private rights of action available against corporations in the United States, companies are subject to even further scrutiny and liability for noncompliance.”

Stephen Foley, writing in the Financial Times, said that some companies have objected that the implementation of the proposal might negatively impact the attorney/client privilege. He wrote “companies said the new rules could mean more correspondence with their lawyers would have to be shared with auditors, with the result that it loses its legal privilege and could become evidence in litigation.” He cited to Ronald Edmonds, controller at the chemicals group Dow, that “Company personnel could be more hesitant to disclose legal violations to their counsel if they fear that the communication will not be privileged. Attorneys may also hesitate to prepare written analysis for their clients for fear that it would end up non-privileged and ultimately in the hands of a legal adversary.”  Amy Johnson, controller at RTX said “The broad scope and volume of information that would be required to be shared with auditors is likely to encompass sensitive attorney advice.”

Conversely, PCAOB Chair Erica Williams told the FT, “Companies’ non-compliance with laws and regulations, including fraud, can really have devastating consequences for investors. This proposal is simply making sure that the protection investors think they’re getting today matches what the standard requires.” Foley cited to Brandon Rees, the AFL-CIO deputy director who said “All too often when a fraud is exposed, it rarely comes to light from the auditors. Auditing standards should require auditors to have uncomfortable conversations with management.”

The PCAOB will have to consider this feedback from its consultation period before deciding whether to push ahead with the proposal, or to amend or scrap it. Two of the five board members have said they are opposed to the new rules, but a simple majority is all that is needed. What are some of the issues that auditors may face if the proposed rule is enacted?

If auditors are mandated to assume more compliance responsibilities as per the proposal, there may be several challenges to address. One of the primary concerns is whether auditors have the requisite knowledge and training to identify and manage compliance violations efficiently. Furthermore, the elevated costs associated with hiring legal experts, coupled with the increased liability facing auditors can potentially create a barrier to the rule’s successful implementation.

The proposal has the potential to shape how audit firms approach their investigations into client companies, particularly with regard to compliance and legal violations. By requiring auditors to look more closely at non-compliance with laws and regulations, the proposal is intended to deliver more comprehensive audits and prevent financial fraud. However, the incorporation of duties usually performed by legal professionals into the auditing process could complicate the auditors’ role, potentially raising costs and increasing liability.

The proposed rule generates divided opinions between compliance professionals and the audit community. Compliance executives generally support the proposal, provided it includes engagement with the chief ethics and compliance officer, and necessitates a comprehensive review of the compliance program with the audit committee. On the contrary, most auditors, represented by the PCAOB, argue against the implementation of this rule, citing a lack of necessary expertise to identify compliance violations, and increased burden of audit fees.

If auditors are mandated to assume more compliance responsibilities as per the proposal, there may be several challenges to address. One of the primary concerns is whether auditors have the requisite knowledge and training to identify and manage compliance violations efficiently. Furthermore, the elevated costs associated with hiring legal experts, coupled with the increased liability facing auditors can potentially create a barrier to the rule’s successful implementation.

Compliance professionals and the audit community clash over a proposed rule on auditors reporting compliance violations. As tensions rise and perspectives collide, can these two groups find common ground or will they remain at odds, leaving the fate of the proposal uncertain?

Categories
Great Women in Compliance

Joelle Thorne-Peters – Be Audit You Can Be

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

This week we are pleased to feature Joelle Thorne-Peters who is a Compliance Audit expert.  She shares with us her thoughts on what Compliance audit is about, what to look for when hiring audit professionals and commentary on the enjoyable phrase “You don’t have to be a clown to audit the circus”.

She also shares some perennial issues that are always worth keeping in mind as stones to turn over, an emerging risk for our radars, espouses a view on where Compliance audit should sit in the organization and thoughts on how Compliance can better work with internal audit.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
31 Days to More Effective Compliance Programs

The compliance audit


One clear best practices to gauge the compliance culture and evaluate the strength of controls, is to conduct periodic audits to ensure that controls are functioning well.  Interestingly, compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in U.S. corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program. Indeed, audits were specifically delineated as far back as the 2012 FCPA Guidance to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical for a compliance audit to have a chance for success: 1) an effective audit program which specifies all necessary activities for the audit; 2) having competent auditors in place; and 3) an organization that is committed to being audited.
Auditing is a more limited review that targets a specific business component, region or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.
Three key takeaways:

  1. Auditing takes a deep dive into your high-risk compliance areas.
  2. Internal audit should test your key compliance risk areas as a part of their regular auditor rotation.
  3. The findings uncovered in an audit must be used in your compliance regime going forward.