Notice2024-28148
Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on Firm Reporting
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 5, 2024
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 234 (Thursday, December 5, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 234 (Thursday, December 5, 2024)]
[Notices]
[Pages 96712-96787]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-28148]
[[Page 96711]]
Vol. 89
Thursday,
No. 234
December 5, 2024
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on Firm Reporting; Notice
��Federal Register / Vol. 89 , No. 234 / Thursday, December 5, 2024 /
Notices��
[[Page 96712]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-101723; File No. PCAOB-2024-07]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on Firm Reporting
November 25, 2024.
Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002
(``Sarbanes-Oxley'' or the ``Act''), notice is hereby given that on
November 22, 2024, the Public Company Accounting Oversight Board (the
``Board'' or the ``PCAOB'') filed with the Securities and Exchange
Commission (the ``Commission'') the proposed rules described in items I
and II below, which items have been prepared by the Board. The
Commission is publishing this notice to solicit comments on the
proposed rules from interested persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On November 21, 2024, the Board adopted amendments to its annual
and special reporting requirements for audit firms (collectively, the
``proposed rules''). The text of the proposed rules is set out below.
The text of the proposed rules appears in Exhibit A to the SEC Filing
Form 19b-4 and is available on the Board's website at Docket 055
[verbar] PCAOB (<a href="http://pcaobus.org">pcaobus.org</a>) and at the Commission's Public Reference
Room.
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed any comments it received on the proposed rules. The text of
these statements may be examined at the places specified in Item IV
below. The Board has prepared summaries, set forth in sections A, B,
and C below, of the most significant aspects of such statements. In
addition, the Board has requested that the Commission approve the
proposed rules, pursuant to Section 103(a)(3)(C) of the Act, for
application to audits of emerging growth companies (``EGCs''), as that
term is defined in Section 3(a)(80) of the Securities Exchange Act of
1934 (``Exchange Act''). The Board's request is set forth in section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
The Board has adopted amendments to its annual and special
reporting requirements to mandate the disclosure of more complete,
standardized, and timely information by registered public accounting
firms. The changes include enhanced reporting of firm financial,
governance, and network information; expanded special reporting; and
cybersecurity reporting, among other topics. After notice and comment,
the Board believes that the final amendments are necessary or
appropriate in the public interest or for the protection of investors
and would enhance firm transparency and improve the PCAOB's oversight
of audit firms.
As the Board has previously observed, robust disclosure is the
cornerstone of the U.S. federal securities regulatory regime and is
essential to efficient capital formation and allocation.\1\ Access to
meaningful information about a public company allows investors to make
informed judgments about the company's financial position and the
stewardship exercised by the company's directors and management. With
the passage of the Sarbanes-Oxley Act of 2002 (``Sarbanes-Oxley''),
Congress acknowledged and re-emphasized the auditor's important
gatekeeping role within the public company reporting framework and
required PCAOB-registered firms to submit public annual reports to the
Board.\2\ Sarbanes-Oxley also provides that firms may be required to
report more frequently and authorizes the Board to require ``such other
information as the rules of the Board or the Commission shall specify
as necessary or appropriate in the public interest or for the
protection of investors.'' \3\
---------------------------------------------------------------------------
\1\ See Improving the Transparency of Audits: Proposed
Amendments to PCAOB Auditing Standards to Provide Disclosure in the
Auditor's Report of Certain Participants in the Audit, PCAOB Rel.
No. 2013-009, at 2 (Dec. 4, 2013).
\2\ See Section 101(a) of Sarbanes-Oxley, 15 U.S.C. 7211(a);
Senate Report No. 107-205, at 5-6 (July 3, 2002).
\3\ See Sections 102(b)-(e) of Sarbanes-Oxley.
---------------------------------------------------------------------------
The Board has observed an increase in voluntary audit firm
transparency reporting, potentially reflecting market demand for more
information regarding firms to support informed decision-making by
market participants. The Board has also observed other jurisdictions
implementing audit firm reporting initiatives. Indeed, investors and
investor-related groups have long sought more transparency about firms,
asserting that additional data and information would help investors
make informed decisions about investing their capital, ratifying the
selection of auditors, and voting for members of the board of
directors, including directors who serve on the audit committee.\4\
Investor and investor-related group comments on this rulemaking
evidence their continuing support for enhanced transparency.
---------------------------------------------------------------------------
\4\ See, e.g., Comment No. 4 from Members of the Investor
Advisory Group (``IAG'') (Jan. 13, 2023), Rulemaking Docket 046:
Quality Control, available at <a href="https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/4_iag.pdf?sfvrsn=1941e7c0_4">https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/4_iag.pdf?sfvrsn=1941e7c0_4</a>; Comment No. 5 from the Council of
Institutional Investors (Jan. 19, 2023), Rulemaking Docket 046:
Quality Control, available at <a href="https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/5_cii.pdf?sfvrsn=69b3e6bd_4">https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/5_cii.pdf?sfvrsn=69b3e6bd_4</a>; Center for Audit Quality (``CAQ''),
Audit Quality Disclosure Framework (Jan. 2019), available at
caq_audit_quality_disclosure_framework_2019-01.pdf (<a href="http://thecaq.org">thecaq.org</a>);
PCAOB Investor Advisory Group Meeting (Oct. 27, 2016), available at
<a href="https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting_1052">https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting_1052</a>.
---------------------------------------------------------------------------
Prior to this rulemaking, the basic framework for the PCAOB's
annual and special reporting requirements, however, had not been
substantively reevaluated since its adoption in 2008.\5\ The Board has
considered the reporting requirements established in 2008, the staff's
experience with those requirements, concerns raised by investors
regarding a lack of audit firm transparency, and comments received in
connection with this rulemaking. The Board believes that improvements
to the reporting requirements should be made to facilitate more public
disclosure about aspects of registered firms' operations that could
impact firms' ability to conduct quality audits, and that such
disclosure will be informative and useful to investors, audit
committees, and other stakeholders \6\ when evaluating audit firms and
the audits of public companies. The Board further believes that the
reporting requirements it has adopted will enhance investor confidence
in public company audits and, therefore, in financial reporting.
---------------------------------------------------------------------------
\5\ The PCAOB amended its rules and form in 2013 to conform to
the Dodd-Frank Wall Street Reform and Consumer Protection Act as it
relates to the Board's oversight of audits of broker-dealers. See
Amendments to Conform the Board's Rules and Forms to the Dodd-Frank
Act and Make Certain Updates and Clarifications, PCAOB Rel. No.
2013-010 (Dec. 4, 2013).
\6\ Throughout the release the Board often refers to investors
and audit committees as the principal users of the public reporting.
This does not foreclose use by other stakeholders.
---------------------------------------------------------------------------
In addition to transparency benefits, enhanced reporting
requirements will facilitate the PCAOB's regulatory functions, and
thus, better inform the
[[Page 96713]]
Board's oversight activities to protect investors. Specifically, the
Board believes that more disclosure about registered firms will (1)
facilitate monitoring of firms for risks or issues that, individually
or taken together with other factors, may affect the ability of firms
to conduct quality audits and may potentially affect the broader market
for audit services; (2) facilitate analysis and planning related to the
PCAOB's inspection program; (3) identify circumstances or events that
may warrant or inform enforcement investigations; and (4) inform the
PCAOB's standard-setting process.
Although the PCAOB may request information from firms from time to
time as part of its regulatory activities, requiring the regular
periodic and special reporting of certain information will standardize
the provision of the information and enhance its comparability and
timeliness, supporting the PCAOB's regulatory functions and therefore
supporting investor protection.
The Board has considered comments raising concerns that the
reported information may not be useful or may be misunderstood by
investors and other stakeholders. As an initial matter, investors and
investor-related groups have consistently called for greater audit firm
transparency, including in comments in connection with this rulemaking,
and stated that these types of reporting requirements will inform their
decision-making. In addition, the Board notes that similar objections
regarding the benefit of disclosure were raised in connection with
recent past rulemakings requiring additional information about audits
and auditors to be made public, namely Form AP reporting of the name of
the engagement partner and information about other firms participating
in the audit, and auditor communication of critical audit matters
(CAMs). In both those cases, the Board has observed that the new
information is sought after. The Form AP data set is now one of the
most frequently visited areas of the Board's website.\7\ As for CAMs,
in a recent investor survey conducted by a firm-related group, over 90%
of the respondents indicated that CAMs play an important role in their
investment decision-making.\8\ The Board's experience suggests that
additional information about auditors and audit engagements is accessed
and relied upon by the Board's stakeholders when it is available.
Moreover, the PCAOB has continued to find both anticipated and new uses
for reported information.
---------------------------------------------------------------------------
\7\ In 2023, there were over 333,000 unique searches performed
on AuditorSearch and the Form AP dataset was downloaded over 2,000
times. Information related to usage statistics can be found on the
PCAOB's website (<a href="https://pcaobus.org/resources/auditorsearch">https://pcaobus.org/resources/auditorsearch</a>).
\8\ The Center for Audit Quality Critical Audit Matters Survey
(July 2024) at 9.
---------------------------------------------------------------------------
Finally, when the Board proposed these requirements, the Board
strove to craft targeted amendments to existing reporting requirements
to support its transparency and regulatory objectives. In formulating
the final amendments, the Board has given careful consideration to the
comments received to further refine the amendments to best achieve the
objectives of this rulemaking. In particular, the Board has tailored
the requirements to focus on specific disclosures that should be most
useful to PCAOB staff in its oversight of audit firms and to investors,
audit committees, and others in their decision-making and evaluation of
audit firms.
Final Amendments
The final amendments will revise the annual and special reporting
framework in the following ways:
<bullet> Revise the annual reporting form (``Form 2'' or the
``Annual Report Form'') to require more information regarding a firm's
network arrangements; leadership and governance structure; and fees
collected, and implement a new requirement for the largest accounting
firms to confidentially submit financial statements to the PCAOB in a
specified manner.
<bullet> Revise the special reporting form (``Form 3'' or the
``Special Reporting Form'') to expand the scope of special reporting
for a subset of firms to include (on a confidential basis) events that
pose a material risk, or represent a material change, to the firm's
organization, operations, liquidity or financial resources, in such a
manner that they will affect the provision of audit services
(``material event reporting''); and to require material event reporting
within 14 days or more promptly as warranted;
<bullet> Implement new cybersecurity reporting requirements,
including reporting of significant cybersecurity incidents within five
business days on a confidential basis and public reporting of a brief
description of a firm's policies and procedures, if any, to identify,
assess, and manage cybersecurity risks; and
<bullet> Implement a new form (``Update to the Statement of
Applicant's Quality Control Policies and Procedures'' or ``Form QCPP'')
to capture updates to a firm's quality control policies currently
provided in a firm's application for registration (Form 1).
Key Changes From the Proposal
In consideration of comments received, the Board has modified the
final amendments in certain respects, including the following changes:
<bullet> Fee Reporting: The Board streamlined the fee disclosure
requirements to reduce disaggregation as compared to the proposal. The
final amendments will require that firms report the existing fee
disclosure categories in actual amounts (as opposed to percentages),
plus broker-dealer fees, and total fees for all clients. These changes
are to clarify, reduce burden, and focus the requirement on information
that provides insight into a firm's audit practice.
<bullet> Financial Statements: The Board adopted the requirement
for the largest firms to provide financial statements to the PCAOB
confidentially, but has eliminated the requirement to prepare them in
accordance with an applicable financial reporting framework. Instead,
the Board has prescribed certain minimum requirements for the financial
statements. This change is to mitigate the costs of this requirement
for firms while still ensuring the reporting requirement results in
improved standardization to improve the Board's insight into a firm's
practice, focus, and incentives, and inform the PCAOB's oversight of
registered firms.
<bullet> Governance and Network Reporting: The Board has adopted
the requirements related to firm governance and network arrangements
with modifications to streamline the requirements, increase clarity,
and further focus requirements on the registered entity's audit
practice.
<bullet> Special Reporting: The Board has not adopted the proposal
to accelerate the Form 3 reporting deadline, except that material event
reporting and cybersecurity incident reporting are required to be
reported under the proposed accelerated timeframes. This change is
intended to ease the burden, particularly for smaller firms, while
still requiring timely reporting of events of sufficient significance
and urgency to warrant more prompt reporting. The Board has adopted the
material event reporting requirement with modifications to clarify,
ease implementation, and better focus the requirement on information
relevant to a firm's audit practice. In addition, the Board has limited
the firms subject to the material event reporting requirement to those
that are annually inspected, i.e., firms that provide audit opinions
for more than 100 issuers annually.
[[Page 96714]]
<bullet> Cybersecurity Incident Reporting: The Board has adopted
the proposed requirements with modifications to language for clarity
and to better link disclosures to the firm's audit practice.
Effective Date
For annual and special reporting requirements, the Board has
adopted phased implementation to give smaller firms more time to
develop and test the necessary tools to comply with the requirements.
For the first phase, the final amendments will become effective as of
March 31, 2027, or two years after approval of the requirements by the
U.S. Securities and Exchange Commission (SEC), whichever occurs later.
The first phase applies to the largest firms as defined in new rule
4013. For the second phase, the final amendments will become effective
one year after the first. The second phase applies to all other firms
subject to the reporting requirements.
For Form QCPP, the Board has aligned the effective date for Form
QCPP with the effective date for QC 1000. Thus, the final amendments
will become effective December 15, 2025 and the deadline for filing is
30 days thereafter on January 14, 2026.
This release provides background on the Board's rulemaking project,
discusses comments received, and includes an economic analysis that
further considers the need for rulemaking and the anticipated economic
impacts of the Board's approach. Appendix 1 sets forth the text of the
form modifications, a new form, and rule amendments.
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board released the proposed rule amendments for public comment
in PCAOB Release No. 2024-003 (April 9, 2024). The Board received 36
written comment letters. The Board has carefully considered all
comments received. The Board's response to the comments it received and
the changes made to the rules in response to the comments received are
discussed below.
Background and Key Considerations
Current Reporting Framework
Section 102(d) of Sarbanes-Oxley provides that each registered
public accounting firm shall submit an annual report to the Board and
may also be required to report more frequently ``such additional
information as the Board or the Commission may specify.'' \9\ In 2008,
the Board adopted rules and forms to govern and facilitate annual
reporting of certain information and to require, govern, and facilitate
special reporting of certain other information if specified events
occur.\10\
---------------------------------------------------------------------------
\9\ Section 102(d) of Sarbanes-Oxley provides:
Each registered public accounting firm shall submit an annual
report to the Board, and may be required to report more frequently,
as necessary to update the information contained in its application
for registration under this section, and to provide to the Board
such additional information as the Board or the Commission may
specify, in accordance with subsection (b)(2).
\10\ See Rules on Periodic Reporting by Registered Public
Accounting Firms, PCAOB Rel. No. 2008-004 (June 10, 2008).
---------------------------------------------------------------------------
The Board specified that the reporting requirements were intended
to serve three fundamental purposes. First, firms were required to
report information to keep the PCAOB's records current about such basic
matters as the firm's name, location, contact information, and
licenses. Second, firms were required to report information reflecting
the extent and nature of the firm's audit practice to facilitate
analysis and planning related to the PCAOB's inspection
responsibilities, to inform other PCAOB functions, and to provide
potentially valuable information to the public. Third, firms were
required to report circumstances or events that could merit follow-up
through the PCAOB's inspection or enforcement processes, and that may
otherwise warrant being brought to the public's attention (such as a
firm's withdrawal of an audit report in circumstances where the
information is not otherwise publicly available).\11\
---------------------------------------------------------------------------
\11\ See id. at 6.
---------------------------------------------------------------------------
The current reporting framework includes two types of reporting
obligations. First, it requires each registered firm to provide basic
information once a year about the firm and the firm's audit practice
over the most recent 12-month period. The firm must do so by filing an
annual report on Form 2. Second, upon the occurrence of specified
events, a firm must report certain information by filing a special
report on Form 3. The Board has not substantively revisited the annual
and periodic reporting framework set forth on Forms 2 and 3 since their
adoption in 2008.
At the time, the Board noted that, by adopting these requirements,
it did ``not mean to suggest that the information encompassed by these
rules is the only information that the Board will require firms to
report under Section 102(d) of the [Sarbanes-Oxley] Act.'' To the
contrary, the Board noted that it ``may identify other useful
requirements by, for example, monitoring public discussion of relevant
issues or considering disclosure requirements in other auditor
regulatory regimes,'' specifically citing the work of the Department of
the Treasury's Advisory Committee on the Auditing Profession (ACAP) as
a potential area of interest.\12\
---------------------------------------------------------------------------
\12\ See id. at 4-5.
---------------------------------------------------------------------------
In 2008, the Board adopted Form 4, Succeeding to Registration
Status of Predecessor, which permits a registered public accounting
firm's registration status to continue with an entity that survives a
merger or other change in the firm's legal form.\13\ Also, in 2015, the
Board adopted rules to require registered firms to file Form AP to
disclose the names of engagement partners and certain information about
other accounting firms that participated in their audits of public
companies.\14\ Form AP requires information specific to particular
audit engagements, rather than information that is firmwide and
operational in nature.
---------------------------------------------------------------------------
\13\ See Rules on Succeeding to the Registration Status of a
Predecessor Firm, PCAOB Release No. 2008-005 (July 29, 2008).
\14\ See Improving the Transparency of Audits: Rules to Require
Disclosure of Certain Audit Participants on a New PCAOB Form and
Related Amendments to Auditing Standards, PCAOB Release No. 2015-008
(Dec. 15, 2015).
---------------------------------------------------------------------------
In addition, in May 2024, the Board adopted new requirements (QC
1000, A Firm's System of Quality Control) for an audit firm's system of
quality control (QC) that included, among other things, the requirement
that a firm report to the Board annually the outcome of the evaluation
of the firm's QC system with respect to any period during which the
firm was required to implement and operate the QC system.\15\ QC 1000
was approved by the SEC in September 2024.
---------------------------------------------------------------------------
\15\ See A Firm's System of Quality Control and Other Amendments
to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 2024-005 (May
13, 2024).
---------------------------------------------------------------------------
Finally, in Firm and Engagement Metrics, the Board has concurrently
adopted public reporting of standardized firm- and engagement-level
metrics regarding a firm's audit work and audit practice. In
particular, the Board has adopted metrics in the following areas:
partner and management involvement; workload; training hours for audit
personnel;
[[Page 96715]]
experience of audit personnel; industry experience; retention of audit
personnel; allocations of audit hours; and restatement history.
Developments Since the Implementation of the Current Framework
The Board has considered various developments since the adoption of
the current annual and special reporting framework, including the
following:
<bullet> The staff's experience with the current reporting
framework;
<bullet> The issuance, and the staff's continued assessment, of the
ACAP Final Report to the Department of the Treasury (``ACAP Final
Report''), including (1) recommendations for the PCAOB to enhance firm
reporting and monitoring and (2) its emphasis on the risk that the
failure of a large audit firm could have disruptive effects on the
ability of firms to conduct quality audits and on the audit market;
<bullet> Audit firm transparency initiatives in other
jurisdictions, including certain mandatory reporting requirements, the
development of voluntary transparency reporting in the United
States,\16\ and studies of the effects of enhanced transparency on
audit quality and investor confidence;
---------------------------------------------------------------------------
\16\ See, e.g., CAQ, Audit Quality Report Analysis: A Year in
Review (Mar. 2023), available at <a href="https://www.thecaq.org/aqr-analysis-yir">https://www.thecaq.org/aqr-analysis-yir</a>. In 2023, the CAQ published a summary analysis of the
most recent audit quality reports issued by the eight firms
represented on the CAQ's Governing Board. The CAQ report noted that
some firms disclosed qualitative as well as quantitative
information, including information relating to audit methodology and
execution, people and firm culture, quality management and
inspections, and technology and innovation.
---------------------------------------------------------------------------
<bullet> PCAOB outreach and activities regarding audit firm
transparency;
<bullet> The growing risk to audit firms from cyberattacks and
cyberbreaches and the increase of such incidents at audit firms; \17\
and
---------------------------------------------------------------------------
\17\ See Gary Salman, The rise of cybercrime in the accounting
profession continues, Accounting Today Online (Aug. 24, 2020); see
also Maggie Miller, FBI sees spike in cyber crime reports during
coronavirus pandemic, The Hill (Apr. 16, 2020); see also Karen
Nakamura, Cybersecurity risk: Constant vigilance required, Journal
of Accountancy (Sept. 1, 2022). See also Department of Homeland
Security, Cyber Safety Review Board to Conduct Second Review on
Lapsus$ (Dec. 2, 2022), available at <a href="https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus">https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus</a>; Tim
Starks, The Latest Mass Ransomware Attack Has Been Unfolding For
Nearly Two Months, Washington Post (Mar. 27, 2023).
---------------------------------------------------------------------------
<bullet> The comments submitted to the PCAOB on the Firm Reporting
proposal.
1. Staff Experience With the Current Framework
The staff has at times received important information from
registered firms on a voluntary ad hoc basis rather than pursuant to
required reporting or through any formal mechanism. Examples of such ad
hoc reporting include changes in leadership, reductions in workforce,
pending merger transactions, and cybersecurity incidents. In addition,
the staff routinely requests certain information from firms, including
business and financial metrics, to inform inspection planning and
scoping that may be more efficiently collected in a standardized form
via periodic or special reporting. Finally, the staff has at times
found voluntarily and mandatorily reported information to be
incomplete, inaccurate, or insufficiently detailed. For example, the
staff has at times found fee information reported on the Annual Report
Form insufficiently specific, inconsistently reported from year-to-year
with respect to methodology, or not reported in accordance with form
instructions, which has inhibited the degree to which the information
can effectively inform the PCAOB's statutory oversight function.
2. ACAP Final Report
In October 2008, after the Board's adoption of Forms 2 and 3, the
ACAP--a committee of business leaders, investors, former SEC staff
members, and accounting professionals that had studied the auditing
profession for one year--issued the ACAP Final Report with
recommendations for the SEC, PCAOB, and auditing profession. In
presenting the ACAP Final Report, the ACAP co-chairs contended that
``[t]he major auditing firms are key actors in the public securities
markets'' and ``must comply with the same principles of transparency
that the Board asks of other major market actors, both for the sake of
the credibility of the market system as a whole, and for the
credibility and long-term health of the firms themselves.'' \18\
---------------------------------------------------------------------------
\18\ ACAP Final Report at II:6.
---------------------------------------------------------------------------
The ACAP Final Report included the following recommendations, among
others, for the PCAOB:
<bullet> Monitor potential sources of catastrophic risk which would
threaten audit quality; and
<bullet> Create a requirement for larger auditing firms to produce
a public annual report including, among other things, information
required by the European Union's transparency report, and to file on a
confidential basis with the PCAOB audited financial statements.\19\
---------------------------------------------------------------------------
\19\ Id. at VII:20, VIII:10. The ACAP Final Report included
recommendations in three areas: (i) concentration and competition,
(ii) firm structure and finance, and (iii) human capital. The two
bulleted recommendations come from areas (i) and (ii). The Board has
addressed other ACAP recommendations by, for example, adopting Form
AP which is in part responsive to an ACAP recommendation that the
PCAOB undertake a standard-setting initiative to consider mandating
the engagement partner's signature on the auditor's report.
---------------------------------------------------------------------------
In making these recommendations, the ACAP noted that the PCAOB was
``uniquely qualified to monitor the firms'' and that monitoring for
disruptions to the market that could threaten audit quality was
consistent with the PCAOB's mission and mandate.\20\ Within the report,
Treasury Secretary Henry Paulson noted the importance of striking a
balance between investor protection and market competitiveness, while
the ACAP co-chairs highlighted a related goal of reducing the barriers
for smaller firms to enter the public company audit market.\21\ This
release and the pursuant economic analysis consider these overarching
principles in connection with these requirements.
---------------------------------------------------------------------------
\20\ Id. at VII:24, VIII:11.
\21\ Id. at D:3, II:5.
---------------------------------------------------------------------------
The Board agrees that its mandate extends to monitoring firms and
the audit market for disruptions, including those related to firm
viability, staffing, or potential legal liabilities.\22\ For example,
in the event of a solvency-threatening event at an audit firm, the
Board would need adequate information to assess whether that failure
may have a disproportionate impact on a particular sector and the
extent to which other audit firms are positioned to absorb the
threatened firm's companies under audit.\23\ The Board would also need
adequate information to respond to inquiries from its oversight
authorities, the SEC and Congress, to share pertinent information with
other regulators as appropriate, and to consider appropriate guidance
regarding transitioning audit clients.
---------------------------------------------------------------------------
\22\ See Section 101(c)(5) of Sarbanes-Oxley, which provides, in
addition to performing core functions such as registrations and
inspections, the Board's duties extend to ``perform[ing] such other
duties or functions as the Board (or the Commission, by rule or
order) determines are necessary or appropriate to promote high
professional standards among, and improve the quality of audit
services offered by, registered public accounting firms and
associated persons thereof, or otherwise to carry out this Act, in
order to protect investors, or to further the public interest.''
\23\ For the purposes of this standard, the phrase ``issuer
under audit'' or ``company under audit'' has the same meaning as
``audit client'' under PCAOB Rule 3501(a)(iv).
---------------------------------------------------------------------------
Some comment letters on the proposal supported the PCAOB's efforts
to fulfill the ``long overdue'' ACAP recommendation to require audit
firms to uniformly disclose certain information about their
organization
[[Page 96716]]
and operations and for larger audit firms to issue audited financial
statements. On the other hand, one commenter pointed to the costs of
implementing this release's disclosure regime and stated that Treasury
Secretary Henry Paulson in the ACAP Final Report emphasized the
importance of striking a balance between investor protection and market
competitiveness, and the ACAP co-chairs highlighted a goal of reducing
the barriers for smaller firms to enter the public company audit
market. Another commenter stated that the ACAP Final Report's
recommendations are advisory and unconstrained by determinations of
PCAOB authority.
As explained throughout this release, the Board believes that the
adopted amendments will ultimately enhance investor protection and
improve audit quality while not unduly burdening firms. In addition,
the Board discusses the ACAP Final Report as appropriate context for it
to consider in the course of this rulemaking, not as binding on the
Board nor as conferring any authority on the Board.
3. Transparency Reporting Developments
Currently, in certain other jurisdictions, audit firms disclose
governance and other information according to legal and regulatory
frameworks, including those imposed by authorities in the European
Union, the United Kingdom, Japan, and Canada. For example, the European
Union's transparency report requires a description of the legal
structure and ownership of the audit firm, network-related information,
a description of the governance structure of the audit firm,
information concerning the basis for the partners' remuneration, and
information regarding revenue, including disaggregation of revenue from
audit and non-audit services.\24\
---------------------------------------------------------------------------
\24\ See Regulation (EU) No 537/2014 of the European Parliament
and of the Council of 16 April 2014 on specific requirements
regarding statutory audit of public-interest entities and repealing
Commission Decision 2005/909/EC Text with EEA relevance at Article
13, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014R0537">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014R0537</a>.
---------------------------------------------------------------------------
In 2021, the International Forum of Independent Audit Regulators
(IFIAR) published a report analyzing developments in the audit market,
including developments in transparency reporting.\25\ Discussing a
survey of IFIAR members, the report noted that, of 50 respondents, 36
had adopted transparency reporting by audit firms and, of those 36, 27
had done so on a mandatory basis.\26\ The report further observed that,
while transparency reporting may vary from jurisdiction to
jurisdiction, transparency reports generally include ``information
related to governance and commitments of each firm including but not
limited to legal/governance structure; relationships with an audit firm
network; quality control system and outcomes; tone at the top;
development of qualified professionals; financials; and responses to
relevant regulations.'' \27\
---------------------------------------------------------------------------
\25\ See IFIAR, Internationally Relevant Developments in Audit
Markets (July 20, 2021), available at <a href="https://www.ifiar.org/?wpdmdl=13063">https://www.ifiar.org/?wpdmdl=13063</a>.
\26\ See id. at 24.
\27\ See id. at 23-24 (footnote omitted).
---------------------------------------------------------------------------
Recent academic studies support these initiatives, having found
that audit firms subject to transparency regulations display
improvement in audit quality, and transparency is associated with
improved investor confidence,\28\ as discussed more fully in the
release's economic analysis.
---------------------------------------------------------------------------
\28\ See, e.g., Shireenjit K Johl, Mohammad Badrul Muttakin,
Dessalegn Getie Mihret, Samuel Cheung, and Nathan Gioffre, Audit
firm transparency disclosures and audit quality, 25 International
Journal of Auditing 508 (2021); Fabio La Rosa, Carlo Caserio, and
Francesca Bernini, Corporate Governance of Audit Firms: Assessing
the usefulness of transparency reports in a Europe[hyphen]wide
Analysis, 27 Corporate Governance: An International Review 14
(2018).
---------------------------------------------------------------------------
Many firms also voluntarily disclose governance and other
information in transparency reports. For example, one audit quality
disclosure framework published in 2023 seeks to support those firms'
efforts with a disclosure framework ``to assist firms in their ongoing
efforts to determine, assess, and communicate information that may be
useful to stakeholders in understanding how audit quality is supported
and monitored at the firm level.'' \29\ Among other things, the model
disclosure framework emphasizes governance disclosures, noting that
``organizational structure and composition of a firm's governing body,
leadership team, internal committees, professional practice group
(e.g., national office or similar body), audit quality networks, and
partnerships/alliances (for example) give insight into who is
responsible for oversight of audit quality initiatives.'' \30\
---------------------------------------------------------------------------
\29\ See CAQ, Audit Quality Disclosure Framework (Update) (June
2023), available at <a href="https://thecaqprod.wpenginepowered.com/wp-content/uploads/2023/06/caq_audit-quality-disclosure-framework-update_2023-06.pdf">https://thecaqprod.wpenginepowered.com/wp-content/uploads/2023/06/caq_audit-quality-disclosure-framework-update_2023-06.pdf</a>.
\30\ See id.
---------------------------------------------------------------------------
As another example, in 2015, after yearslong public engagement and
study, the International Organization of Securities Commissions (IOSCO)
published a report.\31\ In connection with this consultation, IOSCO
observed that ``[m]ost investors, audit oversight bodies, and banking
and securities regulators expressed views that increased transparency
reporting should be an obligation of audit firms and that such
reporting could have direct or indirect benefits, including a favorable
impact on audit quality.'' \32\ IOSCO further noted that ``user/
investor groups and auditor oversight bodies and regulators expressed
support for the full range of transparency reporting discussed in the
Consultation Paper,'' which included information related to audit firm
governance, audit firm financial statements, and audit quality
indicators.\33\ Respondents from the audit profession, the report
notes, ``broadly supported transparency reporting related to audit firm
organization and governance, to make the structure of the firm more
transparent to stakeholders, but had mixed views on transparency
reporting of audit firm operational metrics and performance statistics
that might serve as audit quality indicators, especially with respect
to public reporting of such information.'' \34\
---------------------------------------------------------------------------
\31\ See IOSCO, Transparency of Firms that Audit Public
Companies Final Report (Nov. 2015), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD511.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD511.pdf</a>.
\32\ See IOSCO, Comments Received in response to Consultation
Reports on Issues Pertaining to the Audit of Publicly Listed
Companies (2010), at 12, available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD337.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD337.pdf</a>.
\33\ See id. at 12-14.
\34\ See id. at 13.
---------------------------------------------------------------------------
In issuing its report, IOSCO observed that ``in comparing audit
firms competing for an audit engagement, audit firm transparency
reporting can aid those responsible for selecting a public company's
auditor in their decision making process by providing information on a
firm's audit quality,'' and that ``[t]ransparency reporting can foster
internal introspection and discipline within audit firms and may
encourage audit firms to sharpen their focus on audit quality, which
would also be of benefit to investors and other stakeholders.'' \35\
The report contended that an audit firm transparency report could be
considered of high quality if the information in the report included,
among other elements, information about the audit firm's legal and
governance structure.\36\
---------------------------------------------------------------------------
\35\ See IOSCO, Transparency of Firms (2015), at 1.
\36\ See id.
---------------------------------------------------------------------------
Thus, there is substantial transparency reporting by audit firms,
including but not limited to audit firm financial, governance, and
network-related information, both in response to regulatory
requirements and to market demands. Much of this reporting, moreover,
provides information beyond what is currently required by the
[[Page 96717]]
PCAOB's periodic and special reporting requirements.
Some commenters on the proposal acknowledged that transparency
reports have not completely resolved the present opacity with respect
to various aspects of audit firms and that the Board's proposed
revisions would mitigate this lack of transparency. In contrast, some
commenters stated that voluntary transparency reports already contain
some of the information the Board has requested or that the PCAOB
should more closely study such reports to pinpoint any duplicative
disclosure requirements. The Board agrees that some firms already
disclose some of the information in the final amendments in voluntary
transparency reports. But the Board's analysis indicates such
information is not consistent or comparable across firms or even year
to year for the same firms. The Board continues to believe that
voluntary transparency reporting has not sufficiently mitigated audit
firm opacity, and that the final amendments will promote further
transparency and enhance standardization and comparability of available
information.
4. PCAOB Advisory Group Input
The PCAOB's June 2022 Investor Advisory Group (IAG) meeting
included discussion of audit firm transparency, including support for
reporting measures of audit quality and other outstanding ACAP
recommendations.\37\ For example, during an IAG discussion that was
focused on the relationship between a firm's audit practice and the
firm's overall business, an IAG member urged the PCAOB to revisit
ACAP's recommendations and noted ACAP's emphasis on governance,
leadership, and structure and business model.\38\ Moreover, the IAG
previously discussed the status of ACAP recommendations, including the
recommendation for large firms to submit financial statements, which
generated support from IAG members.\39\ For example, discussing the
importance of audit firms, an IAG member stated that ``the investor
community strongly believes that . . . it is only reasonable to expect
some level of disclosure about the manner in which the firms are
governed and about their financial strength and sustainability that is
much greater than the information that's provided today.'' \40\ Members
of the IAG submitted a comment letter to the Proposal, in which they
expressed support for the Proposal's fulfillment of the 2008 ACAP
recommendation and discussed how the proposal would allow investors to
make more informed decisions and assist the PCAOB in exercising its
oversight responsibilities.
---------------------------------------------------------------------------
\37\ See PCAOB Investor Advisory Group Meeting (June 8, 2022),
available at <a href="https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-2022">https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-2022</a>.
\38\ See PCAOB Investor Advisory Group Meeting (June 8, 2022),
Transcript, at 127:2; 152:18.
\39\ See PCAOB Investor Advisory Group Meeting (Oct. 27, 2016);
see also Steven B. Harris, Board Member, PCAOB, Audit Industry
Concentration and Potential Implications, address at the 2017
International Institute on Audit Regulation (Dec. 7, 2017),
available at <a href="https://pcaobus.org/news-events/speeches/speech-detail/audit-industry-concentration-and-potential-implications_674">https://pcaobus.org/news-events/speeches/speech-detail/audit-industry-concentration-and-potential-implications_674</a>. (``At
this year's IAG meeting, members recommended by unanimous consent
that the Big Four provide annual audited financial statements.'').
\40\ See PCAOB Investor Advisory Group Meeting (Oct. 27, 2016)
Meeting Transcript, at 179:16, available athttps://
<a href="http://assets.pcaobus.org/pcaob-dev/docs/default-source/news/events/documents/102716-iag-meeting/iag-meeting-transcript-10-27-16.pdf?sfvrsn=5cb1d454_0">assets.pcaobus.org/pcaob-dev/docs/default-source/news/events/documents/102716-iag-meeting/iag-meeting-transcript-10-27-16.pdf?sfvrsn=5cb1d454_0</a>.
---------------------------------------------------------------------------
The September 26, 2024 meeting of the PCAOB's IAG included a
discussion of audit firm ownership structures and funding arrangements,
during which members observed a lack of reporting in this area.\41\
---------------------------------------------------------------------------
\41\ See PCAOB Investor Advisory Group Meeting (Sept. 26, 2024),
available at <a href="https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024">https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024</a>.
---------------------------------------------------------------------------
5. Cybersecurity Developments
Cybersecurity incidents have increased in recent years in size,
frequency, and sophistication. Federal financial regulators have
responded by imposing new cyber-specific reporting requirements. For
example, the SEC has adopted new cybersecurity reporting requirements
for public companies and proposed new cybersecurity reporting
requirements for investment managers.\42\ In proposing certain of these
requirements, the SEC noted that
---------------------------------------------------------------------------
\42\ See Cybersecurity Risk Management, Strategy, Governance,
and Incident Disclosure, SEC Rel. No. 33-11216 (July 26, 2023);
Cybersecurity Risk Management for Investment Advisers, Registered
Investment Companies, and Business Development Companies, SEC Rel.
No. 33-11028 (Feb. 9, 2022).
[t]he U.S. securities markets are part of the Financial Services
Sector, one of the sixteen critical infrastructure sectors whose
assets, systems, and networks, whether physical or virtual, are
considered so vital to the United States that their incapacitation
or destruction would have a debilitating effect on security,
national economic security, national public health or safety, or any
combination thereof.\43\
---------------------------------------------------------------------------
\43\ SEC Rel. No. 34-97142, at 8.
---------------------------------------------------------------------------
The SEC has further noted that
[c]ybersecurity risks have increased for a variety of reasons,
including the digitalization of registrants' operations; the
prevalence of remote work, which has become even more widespread
because of the COVID-19 pandemic; the ability of cyber-criminals to
monetize cybersecurity incidents, such as through ransomware, black
markets for stolen data, and the use of crypto-assets for such
transactions; the growth of digital payments; and increasing company
reliance on third party service providers for information technology
services, including cloud computing technology.\44\
---------------------------------------------------------------------------
\44\ See Cybersecurity Risk Management, Strategy, Governance,
and Incident Disclosure, SEC Rel. No. 33-11038 (Mar. 9, 2022), at 6-
7 (footnotes omitted).
Bank regulators now require that certain banks and their service
providers notify regulators within 36 hours of cybersecurity incidents
that have ``materially disrupted or degraded'' the organization.\45\ In
adopting these requirements, the banking regulators noted that
``[c]yberattacks targeting the financial services industry have
increased in frequency and severity in recent years.'' \46\
---------------------------------------------------------------------------
\45\ See Computer-Security Incident Notification Requirements
for Banking Organizations and Their Bank Service Providers, 86 FR
66424 (Nov. 23, 2021).
\46\ Id. at 66425 (footnote omitted).
---------------------------------------------------------------------------
PCAOB staff experience indicates that the cybersecurity landscape
faced by audit firms continues to evolve and that cybersecurity
incidents at audit firms are increasing in both volume and complexity.
Accounting and financial data may be particularly attractive targets
for such attacks.\47\ Some reports suggest that cyberattacks on
accounting firms increased by 300 percent in the several months after
the onset of the COVID-19 pandemic.\48\
---------------------------------------------------------------------------
\47\ See Chris Gaetano, More than a third of orgs had
accounting-related cyber incidents, Accounting Today Online (Feb. 8,
2023) (``A recent poll of C-suite and other executives from Big Four
firm Deloitte showed evidence of this. It found that 34.5% of
organizations have experienced at least one `cyber event' targeting
accounting and financial data over the past year. Of these, 12.5%
have experienced more than one. Executives don't expect this to ease
up anytime soon either, as almost half--48.8%--expect that the
number of cyber incidents will increase over the next year.'').
\48\ See Gary Salman, The rise of cybercrime in the accounting
profession continues, Accounting Today Online (Aug. 24, 2020); see
also Maggie Miller, FBI sees spike in cyber crime reports during
coronavirus pandemic, The Hill (Apr. 16, 2020).
---------------------------------------------------------------------------
The September 26, 2024 meeting of the PCAOB's IAG included a
discussion of cyber risks in external audits.\49\
---------------------------------------------------------------------------
\49\ See PCAOB Investor Advisory Group Meeting (Sept. 26, 2024),
available at <a href="https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024">https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024</a>.
---------------------------------------------------------------------------
The increased prevalence of cybersecurity incidents has
implications for the operations of audit firms, the degradation of
which could impact their provision of audit services, as well as for
improper access to confidential data of issuers and individuals by bad
actors and other third parties.
6. Rulemaking History
On April 9, 2024, the Board proposed to amend its annual and
special
[[Page 96718]]
reporting requirements in the following ways:
<bullet> Revise Form 2 to require more information regarding a
firm's network arrangements; leadership and governance structure; and
fees collected and client base, and implement a new requirement for the
largest accounting firms to confidentially submit financial statements
to the PCAOB on an annual basis and in conformity with an applicable
reporting framework;
<bullet> Revise Form 3 to shorten the timeframe for reporting from
30 days to 14 days (or more promptly as warranted), and expand the
scope of special reporting to include (on a confidential basis) events
that pose a material risk, or represent a material change, to the
firm's organization, operations, liquidity or financial resources, or
provision of audit services;
<bullet> Implement new cybersecurity reporting requirements,
including reporting of significant cybersecurity incidents within five
business days on a confidential basis and public reporting of a
description of a firm's policies and procedures, if any, to identify,
assess, and manage cybersecurity risks; and
<bullet> Implement new Form QCPP to capture updates to a firm's
quality control policies currently provided in a firm's application for
registration (Form 1).
The Board received comment letters on the proposal from over 35
commenters across a range of affiliations, including firms and firm-
related groups, investors and investor-related groups, trade groups,
consultants, and others. Some commenters asked the PCAOB for more than
60 days to respond to the proposal, citing overlapping comment proposal
periods, the duration of comment periods, the length and complexity of
various proposals, and overlapping SEC Form 19b-4 filing comment
periods. Some commenters recommended the PCAOB engage in further
outreach, or re-propose, before finalizing any new Firm Reporting
requirements. The Board believes that 60 days was a sufficient period
for comment on the proposal. The Board notes that it continued to
receive comment letters that were submitted after the 60-day period
closed and those letters are considered in this release. The Board
received robust comments on the proposal, which have importantly
informed the final amendments. The Board considers the comments
throughout this release.
Improvements To Audit Firm Reporting Requirements
The Board believes that the final amendments will improve audit
firm reporting in several respects:
Decision-useful information. The Board's oversight indicates that
quantitative and qualitative aspects of firm structure, resources, and
operations could impact the ability of firms to conduct quality audits,
and therefore more public disclosure about registered firms will
facilitate informed decision-making and risk assessment by investors
and audit committees. As discussed further in the economic analysis,
because standardized disclosures by audit firms support audit
committees' and investors' abilities to identify a firm whose
characteristics best meet investor needs regarding the audit, the final
amendments will ultimately enhance the quality of audits. In this
regard, the Board notes that the newly required information should be
useful both on its own and in conjunction with other public information
regarding audit firms, including, for example, the metrics included in
Firm and Engagement Metrics, if approved by the SEC. The Board further
believes enhanced firm transparency will improve investor confidence in
public company audits because it will increase the information
available to efficiently and effectively evaluate a firm for
ratification.
Some commenters, principally investor-related groups, supported the
usefulness of the proposed information, including stating that the
proposal can produce significant benefits to investors by providing
information they currently do not have access to that can assist them
in making more informed decisions about whether to vote to approve the
ratification of the auditor or the election or reelection of board
members, or in exercising their responsibilities for oversight of the
audit committees of public companies. One commenter mentioned that the
PCAOB would be able to standardize the information received, and
mitigate the submission of incomplete, inaccurate, or insufficiently
detailed information, thus facilitating the PCAOB's regulatory
functions (i.e., firm monitoring, the inspection program, enforcement
investigations, and the PCAOB's standard-setting process). Some
commenters, principally firms or firm-related groups, questioned the
usefulness of the proposed information, including stating that the
proposed information does not appear to be relevant or useful to
investors or audit committees and questioning how the proposed
requirements would impact audit quality. One commenter stated its
belief that investor decision-making is based on issuer financial
performance and not information about the firms that audit those
issuers, highlighting the audit committee's statutory responsibility to
represent the needs of investors.
In the discussion below, the Board summarizes and considers
comments on this subject related to individual requirements, and sets
forth the ways it is modifying the requirements in the final amendments
to better focus on information that will be useful to stakeholders in
their decision-making. In general, the Board continues to believe that
enhanced information regarding audit firms will support audit
committees' abilities to efficiently and effectively compare firms in
their appointment decisions and monitoring efforts, and investors'
abilities to efficiently and effectively compare firms in their
ratification decisions and monitoring efforts, and in their capital
allocation decisions. The required disclosures will also provide
indirect benefits linked to audit quality, financial reporting quality,
capital market efficiency, and competition, as discussed below.
Data and information to support the PCAOB's regulatory mission. The
Board believes that more reporting by registered firms will (1)
facilitate monitoring of firms for risks or issues that may affect the
ability of firms to conduct quality audits and may potentially affect
the broader market for audit services; (2) facilitate analysis and
planning related to the PCAOB's inspection program; (3) identify
circumstances or events that may warrant or inform enforcement
investigations; and (4) inform the PCAOB's standard-setting and
rulemaking processes. The Board notes the PCAOB actively engages in
policy research related to the market for assurance services to further
the PCAOB's mission by informing the standard-setting agenda, among
other things. The additional data provided by this proposal will
enhance the PCAOB's ability to produce impactful research and translate
that gained knowledge into improved standards and rules. Relatedly, the
additional data will also provide valuable information sources for the
public, including academic research. Improved research quality is an
important benefit, as it is an important element of the PCAOB's
standard-setting projects.
Some commenters agreed that the proposed requirements would enhance
the PCAOB's oversight, including
[[Page 96719]]
stating that the proposal would facilitate the PCAOB's regulatory
functions, i.e., firm monitoring, the inspection program, enforcement
investigations, and the PCAOB's standard-setting process. Some
commenters questioned the usefulness of the information to the PCAOB's
oversight, including stating that the PCAOB can require information
through the inspection process. A commenter stated that, in terms of
how the various disclosures enhance the PCAOB's regulatory function,
each of the disclosures should be considered as to how individually or
taken together it provides information on a firm's ability to conduct
quality audits. In a section below, the Board summarizes and considers
comments on this subject related to individual requirements, and sets
forth the ways it is modifying the requirements in the final amendments
to better focus on information that will yield information useful to
the Board's oversight. In general, the Board continues to believe that
requiring information through reporting requirements (in contrast to
through the inspection process) will enhance the Board's oversight and
operating effectiveness. Standardizing the information collected will
facilitate comparison across firms and contribute to more effective use
of inspection resources, more timely reporting of certain events will
expedite the Board's efforts to identify regulatory tools and
mechanisms in response to potential disruptions in the timely issuance
of audit opinions under certain circumstances, and the improved data
set will enhance standard-setting and rulemaking, as discussed in the
economic analysis.
Improved standardization of information. In addition to making more
information available, formalizing reporting requirements will make the
information more useful by increasing standardization and
comparability. This will serve both public transparency interests and
the PCAOB's regulatory function.
Some commenters, principally firms or firm-related groups,
questioned whether the proposed requirements would achieve
comparability, including stating that firms vary significantly in size
and structure making it more difficult to compare firm to firm, stating
that comparison of the information reported is unlikely to result in a
ranking or judgment of one firm being more qualified than others to
serve as auditor for an issuer or broker dealer, and encouraging the
Board to clarify the information to be reported to support
comparability. Similarly, some commenters called for an alternative
disclosure regime, including one commenter who suggested an alternative
similar to the EU's principles-based system which could provide similar
public benefits at much lower cost.
In a discussion below, the Board summarizes and considers comments
on this subject related to individual reporting requirements and
discusses clarifications to reporting requirements which should support
comparability. In general, the Board continues to believe that setting
forth mandatory reporting requirements, as compared to voluntary
reporting and/or supplemental or ad hoc information requests through
the inspection process, will overall improve standardization and
comparability of information available, as discussed in the economic
analysis. At the same time, the reporting provisions permit narrative
disclosures to accommodate the need for context for the reported
information. The final amendments seek to balance the need for
specificity in the requirements with the need to accommodate
principles-based disclosure to permit judgment on the part of the firms
regarding how to contextualize reported information.
Improved timeliness of certain information. By requiring certain
special reports on a shorter timeframe, namely material events and
cybersecurity incidents, enhanced special reporting requirements will
get useful information to the PCAOB more quickly. As discussed below,
commenters raised questions on the need for more timely reporting of
existing Form 3 events, and in consideration of these comments and the
Board's reporting objectives, the Board determined not to adopt the
acceleration of the Form 3 deadline for existing reporting items.
However, the Board has adopted accelerated reporting deadlines for
material events and cybersecurity incidents because those events are,
by definition in the final amendments, significant and likely to
represent issues meriting more urgent reporting. For those events, the
Board continues to believe more accelerated reporting to the Board is
appropriate and will enable the Board to respond to potential
disruptions or alterations in audit firm operations appropriately.
Key Provisions of the Final Amendments
In light of the above, the Board has enhanced the required
reporting of certain information by registered firms:
<bullet> Financial Information: The Board has adopted amendments to
require all registered firms to report on the Annual Report Form
additional fee information, and to require the largest registered firms
to confidentially submit financial statements to the PCAOB. The Board
believes such information will provide insight into a firm's practice,
focus, and incentives, and inform the PCAOB's oversight of registered
firms. The Board also believes that public fee data will inform
decision-making and risk assessment by investors, audit committees, and
others.
<bullet> Governance Information: The Board has adopted amendments
to require all registered firms to report on the Annual Report Form
additional information regarding their leadership, legal structure,
ownership, and other governance information, including reporting on
certain key Quality Control operational and oversight roles. The Board
believes that such information will help investors and audit committees
to better understand firm processes and priorities, and to
differentiate among firms with respect to, for example, leadership,
oversight, and independence practices. Such information will also
bolster the PCAOB's oversight of registered firms, complementing and
improving upon the information already collected through the
inspections process.
<bullet> Network Relationships: The Board has adopted amendments to
require a more detailed public description on Form 2 of any network
arrangement to which a registered firm is subject, including describing
the network's structure, the registered entity's access to resources
such as audit methodologies and training, whether the firm shares
information with the network regarding its audits including whether the
firm is subject to inspection by the network. The Board believes such
information will give the PCAOB, investors and audit committees greater
insight into how a network arrangement influences firm governance and
the conduct of audits, including oversight and access to resources.
<bullet> Special Reporting: The Board has adopted amendments to
implement a new confidential special reporting requirement for events
material to a firm's organization, operations, liquidity or financial
resources, such that they affect the provision of audit services. This
provision is applicable to annually inspected firms. The Board believes
that more formalized reporting of material events that will affect
audit services will inform the PCAOB's oversight of registered firms
and facilitate the Board's timely response to events that may
potentially disrupt or alter the provision of audit services.
<bullet> Cybersecurity: The Board has adopted amendments to require
prompt confidential reporting of significant
[[Page 96720]]
cybersecurity events on the Special Report Form and periodic public
reporting of a brief description of the firm's policies and procedures,
if any, to identify and manage cybersecurity risks on the Annual Report
Form. The Board believes that reporting of such information will inform
the PCAOB, investors, audit committees, and other stakeholders of
critical information regarding the potential for disruptions of audit
firm operations that may impact the provision of audit services and
indicate potential compromises of individual or issuer information, and
information regarding the audit firm's management of cybersecurity risk
that will inform decision-making and risk assessment.
<bullet> Updated Description of QC Policies and Procedures: The
Board has adopted a new form that will require any firm that registered
with the Board prior to the date that QC 1000 becomes effective
(December 15, 2025) to submit an updated statement of the firm's
quality control policies and procedures pursuant to QC 1000. The Board
believes it is important that firms update the statement regarding
their quality control policies and procedures, originally made in
connection with their registration application on Form 1, to reflect
the changes to their policies and procedures made in response to the
new quality control standard.
1. Authority
As with the Board's original promulgations of Form 2 and Form 3,
the Board's authority for the amendments and rules is well settled.\50\
Section 102(d) of Sarbanes-Oxley provides that ``Each registered public
accounting firm shall submit an annual report to the Board, and may be
required to report more frequently . . . to provide to the Board such
additional information as the Board or the Commission may specify, in
accordance with subsection (b)(2).'' Subsection 102(b)(2)(H), in turn,
provides that ``Each public accounting firm shall submit, . . . in such
detail as the Board shall specify . . . such other information as the
rules of the Board or the Commission shall specify as necessary or
appropriate in the public interest or for the protection of
investors.'' This broad mandate leaves no doubt that the Board's
authority rests on firm ground.
---------------------------------------------------------------------------
\50\ See PCAOB Rel. No. 2008-004, at 4; see also Proposed Rules
on Periodic Reporting by Registered Public Accounting Firms, PCAOB
Release No. 2006-004, at 2 (May 23, 2006).
---------------------------------------------------------------------------
First, under the plain text of Section 102(b)(2)(H), the amendments
and rules need only be either (1) ``necessary'' or (2) ``appropriate,''
and either (a) ``in the public interest'' or (b) ``for the protection
of investors.'' Each of the reporting requirements adopted in this
release plainly satisfies multiple--and at least one (which is all that
is required)--of the four permutations that provide an avenue of
authority.
As explained herein and in the proposal, the reporting of publicly
available information will assist investors, and audit committees,
among others, to better assess aspects of firm operations that may
influence the conduct of audits. Both individually and collectively,
this newly required information should provide a clearer, more complete
picture of an audit firm and its capacity to perform audits.\51\ Such
utility applies a fortiori when the information is used in conjunction
with other publicly available data, including Form AP data and data
from Firm and Engagement Metrics.
---------------------------------------------------------------------------
\51\ To the extent that these benefits improve audit quality,
they also should enhance the credibility of financial reporting.
See, e.g., Mark DeFond and Jieying Zhang, A review of archival
auditing research, 58 Journal of Accounting and Economics 275 (2014)
(asserting that audit quality improves financial reporting quality
by increasing the credibility of the financial reports).
---------------------------------------------------------------------------
Confidentially reported information will similarly inform the
Board, allowing the Board to learn about, or better understand, the
operations of registered firms, providing a more comprehensive window
into the health of registered firms and their capacity to perform
audits. For instance, regular reporting of financial information by
larger firms or special reporting of certain material events (e.g., a
report on a firm's likely inability to continue as a going concern)
will allow the Board to anticipate a potential firm closure, including
by notifying downstream regulators (e.g., the Commission), which would
allow those regulators to make appropriate preparations including, for
example, issuing relief for affected issuers. Such a scenario is not
merely hypothetical, as just this past year, the Commission issued an
exemptive order for issuers to make certain Exchange Act filings in
light of a registered firm shuttering its public company audit
practice.\52\ In addition, such reporting would allow the Board to
provide appropriate guidance to its registered firms related to, for
example, obligations of successor auditors.
---------------------------------------------------------------------------
\52\ Order under Section 36 of the Securities Exchange Act of
1934 Granting Exemptions from Specified Provisions of the Exchange
Act and Certain Rules Thereunder, SEC Release No. 34-100185 (May 20,
2024).
---------------------------------------------------------------------------
Information (whether reported publicly or confidentially) also will
allow the Board to enhance or otherwise adjust its oversight as needed
or as appropriate to protect investors and the public. Whether such
enhancements or modifications to oversight take the form of inspection
scoping, inspection frequency, or other regulatory actions, the result
of the newly required disclosures is the same: the Board will have at
its disposal greater information--both with respect to individual firms
and trends across the audit market--to better oversee auditors of
public companies, brokers, and dealers.
Second, Section 102(b)(2)(H)'s use of ``appropriate'' evinces
Congress's intent to grant significant discretion to the Board to
determine what types of reporting is in the public interest or to
protect investors. Indeed, such statutory language ``leave[s] [the
Board] with flexibility'' \53\ and ``affords [the Board] broad policy
discretion.'' \54\ That the new or enhanced reporting items described
in the release fit neatly within the confines of that statutory
discretion is evident by the enumerated categories of information that
Congress required firms to disclose in Sarbanes-Oxley.
---------------------------------------------------------------------------
\53\ Loper Bright Enters v. Raimondo, 144 S. Ct. 2244, 2263
(2024) (quoting Michigan v. EPA, 576 U.S. 743,752 (2015) (quotation
marks omitted)).
\54\ Kisor v. Wilkie, 588 U.S. 558, 632 (2019) (Kavanaugh, J.,
concurring in the judgment) (``To be sure, some cases involve
regulations that employ broad and open-ended terms like
`reasonable,' `appropriate,' `feasible,' or `practicable.' Those
kinds of terms afford agencies broad policy discretion, and courts
allow an agency to reasonably exercise its discretion to choose
among the options allowed by the text of the rule.'').
---------------------------------------------------------------------------
For instance, Congress mandated that firms disclose in their
application for registration ``annual fees received by the firm from
each such issuer, broker, or dealer for audit services, other
accounting services, and non-audit services, respectively,'' \55\ and
``such other current financial information for the most recently
completed fiscal year of the firm as the Board may reasonably
request.'' \56\ It requires no straining of ``appropriate'' to conclude
that requiring that the same or similar fee and financial information
be submitted annually (as opposed to only upon registration) is of a
piece with Sections 102(b)(2)(B) and (C) of Sarbanes-Oxley.\57\ That is
especially so given that
[[Page 96721]]
Congress expressly contemplated that the Board would require firms to
``update''--annually or ``more frequently''--``the information
contained in [their] application[s] for registration.'' \58\ The Board
made such a determination when it initially adopted fee reporting
requirements on Form 2 in 2008 in the form percentages (e.g., audit
fees billed to issuers as a percentage of all fees). The final
amendments modestly build out the fee reporting requirements, as
described in greater detail in below, by requiring reporting of fee
amounts (rather than percentages) to increase the usefulness of the
reported information by requiring the data in a form that lends itself
to greater analysis (e.g., comparisons of size of audit practices
across firms).
---------------------------------------------------------------------------
\55\ Section 102(b)(2)(B) of Sarbanes-Oxley.
\56\ Id. Section 102(b)(2)(C).
\57\ That same reasoning applies to ``necessary'' in Section
102(b)(2)(H) in Sarbanes-Oxley. See, e.g., Metrophones Telecommc'ns,
Inc. v. Global Crossing Telecommc'ns, Inc., 423 F.3d 1056, 1068 (9th
Cir. 2005) (``Given the reach of the [FCC's] rulemaking authority
under Sec. 201(b)''--which granted to the FCC the ``broad power to
enact such `rules and regulations as may be necessary in the public
interest to carry out the provisions of this Act' ''--``it would be
strange to hold that Congress narrowly limited the Commission's
power to deem a practice `unjust or unreasonable.' ''); Brown v.
Azar, 497 F. Supp. 3d 1270, 1281 (N.D. Ga. 2020) (``[W]hen an agency
is authorized to `prescribe such rules and regulations as may be
necessary in the public interest to carry out the provisions of the
Act,' Congress' intent to give an agency broad power is clear.''),
appeal dismissed as moot, 20 F.4th 1385 (11th Cir. 2021) (mem.).
\58\ Id. Section 102(d).
---------------------------------------------------------------------------
Similarly, Congress mandated that firms disclose ``a list of all
accountants associated with the firm who participate in or contribute
to the preparation of audit reports, stating the license or
certification number of each such person, as well as the State license
numbers of the firm itself.'' \59\ It strains credulity to think that
the newly required disclosures--of the names of individuals serving in
leadership positions, or of a firm's governance structure as a whole,
or of a firm's network information--are outside the bounds of
``appropriate'' in light of the information (and the granularity of
such information) that Congress required of firms when applying for
registration.\60\ Indeed, the Board originally construed network
information as an appropriate subject of periodic reporting when the
Board required it in 2008 when adopting Form 2. The final amendments
merely require incremental additional information regarding network
arrangements to increase the usefulness of the network disclosures by
providing greater information regarding, for example, network members
access to network resources.
---------------------------------------------------------------------------
\59\ Id. Section 102(b)(2)(E) (emphasis added).
\60\ Section 101 of Sarbanes-Oxley supplies ancillary authority
for this rulemaking. For example, Section 101(c)(5) empowers the
Board to ``perform such other duties or functions as the Board . . .
determines are necessary or appropriate to . . . carry out this Act,
in order to protect investors, or to further the public interest.''
In addition, Section 101(g)(1) provides rulemaking authority to the
Board, specifying that the Board's rules ``provide for the operation
and administration of the Board, the exercise of its authority, and
the performance of its responsibilities under'' Sarbanes-Oxley.
---------------------------------------------------------------------------
Some firm and firm-related groups questioned the Board's statutory
authority to require the proposed information. Commenters believe that
the Board's authority under Section 102(b)(2) is more limited than the
Proposal's interpretation. One commenter stated that the Board's
reliance on the phrase ``such other information'' in Section
102(b)(2)(H) is constrained and, in analogizing to a Supreme Court
ruling, expressed that ``statutory reference'' to the adoption of
regulations that are ``necessary or appropriate'' does not give an
agency ``authority to act, as it [sees] fit, without any other
statutory authority.'' This commenter argued that the phrase ``such
other information'' must refer to items ``similar in nature to those
objects enumerated by the preceding specific words'' (i.e., the Board's
authority to require the provision of ``other'' information under
subsection (b)(2)(H) is limited to information of the type enumerated
in subsections (b)(2)(A) through (b)(2)(G), which includes the names of
clients, fees received from issuers and broker-dealers, certain other
financial information, quality control policies, the names of
accountants, criminal or civil proceedings, and instances of accounting
disagreements). As explained above however, the required disclosures
are in fact similar in nature to those statutorily enumerated reporting
items and also fall within the Board's authority under subsection
(b)(2)(H).
Another commenter stated that none of the proposed requirements are
covered under Sections 102(b)(2)(A) through (G), that the Sarbanes-
Oxley Act does not give the PCAOB authority to tell audit firms how to
run their businesses, and that monitoring audit firm financial
stability and market risk is not within the PCAOB's remit. That
position, however, does not account for Congress's mandate that firms
disclose on their registration applications ``annual fee [ ]'' and
``current financial information,'' as set forth in Sections
102(b)(2)(B) and (C) of Sarbanes-Oxley, and Congress's empowering the
Board to require firms to ``update the information contained in [their]
application[s] for registration'' annually or ``more frequently,'' as
set forth in Section 102(d). Moreover, nothing in this rulemaking is
intended to ``tell audit firms how to run their businesses.'' For
example, the rulemaking does not contemplate a preferred governance
structure for firms (let alone mandate such a structure); the
rulemaking merely requires disclosure of a firm's governance structure,
whatever that structure may be. Commenters also specifically asserted
that the Board's rulemaking authority under Section 101(c)(5) is not a
``catch all'' authority for the Board to adopt any rule that it deems
in the public interest. One commenter expressed that this provision
does not grant the Board the authority to engage in rulemaking, and the
``public interest'' and ``necessary or appropriate'' clauses place the
same constraints on the Board mentioned above. In other words, the
commenter stated, a ``statutory reference'' to the performance of
duties or functions that are ``necessary or appropriate'' does not give
an agency ``authority to act, as it [sees] fit, without any other
statutory authority.''
Although the Board agrees that ``necessary'' and ``appropriate''
are not unbounded, they provide a broad degree of discretion and
flexibility, as noted above and as recognized by courts.\61\ Moreover,
Section 102(b)(2)(H) expressly contemplates the provision of ``other
information'' the Board may require through rulemaking. Courts have
described such statutory language as signifying ``a catch-all
provision.'' \62\ In fact, based on its plain meaning, one appeals
court has read ``other'' as necessarily introducing categories that are
distinct from anything that preceded it, meaning that ``such other
information'' in Section 102(b)(2)(H) need not ``address'' the types of
information in Sections 102(b)(2)(A)-(G).\63\
---------------------------------------------------------------------------
\61\ See supra footnotes 54 and 55 and accompanying text; see
also footnote 58.
\62\ Navajo Nation v. Dalley, 896 F.3d 1196, 1212 (10th Cir.
2018); see also, e.g., Madison v. Virginia, 474 F.3d 118, 133 (4th
Cir. 2006) (``other Federal statute prohibiting discrimination'' is
a ``catch-all provision''); cf. Meehan v. Atl. Mut. Ins. Co., 2008
WL 268805, at *7 (E.D.N.Y. Jan. 30, 2008) (``The term `other
policies' now accomplishes the task of including all governmental
activity and becomes a catch-all phrase including all other policies
not already implied[.]'' (citations and quotation marks omitted)).
\63\ Navajo Nation, 896 F.3d at 1212-13 (``Congress expressed
its scope in broad terms, to encompass `any other subjects that are
directly related to the operation of gaming activities.' But the key
word here is `other.' . . . And applying the ordinary and everyday
meaning of the word `other' . . . , it becomes patent that Congress
did not intend for that clause to address the `subjects' covered in
the preceding clauses of subsection (C)[.]'' (citation omitted)).
---------------------------------------------------------------------------
Further, with respect to the assertion that Section 101(c)(5) is
not a ``catch-all'' for the Board to adopt any rule it deems in the
public interest, the Board notes that Section 101(c)(5) uses the same
statutory language ``other'' as Section 102(b)(2)(H), discussed
immediately above. For that reason, Section 101(c)(5) would be aptly
[[Page 96722]]
described as a ``catch-all'' provision,\64\ and the reporting
requirements fit neatly within the bounds of the statute insofar as the
Board has ``determine[d]'' them to be ``necessary or appropriate . . .
to carry out [Sarbanes-Oxley], in order to protect investors, or to
further the public interest.'' \65\ In all events, although Section
101(c)(5) supplies an independent basis of authority, the Board's
primary authority for the reporting requirements is Section 102 of
Sarbanes-Oxley, and the Board's authority under Section 102 is not
dependent on its authority under Section 101(c)(5).
---------------------------------------------------------------------------
\64\ See supra footnote 63.
\65\ Section 101(c)(5) of Sarbanes-Oxley.
---------------------------------------------------------------------------
This release has outlined how the disclosures mandated will enhance
transparency and bolster the PCAOB's oversight capabilities. Such
enhancements are designed to improve PCAOB oversight and inform
investor and audit committee decisions, and in turn to protect
investors and enhance audit quality, fully aligning with the
overarching objectives of Sarbanes-Oxley, and therefore are appropriate
exercises of the Board's authority under Section 102.\66\
---------------------------------------------------------------------------
\66\ In response to the concerns raised by firm commenters
regarding the Board's use of Sarbanes-Oxley's relevant ``necessary
and appropriate'' clauses, it is important to clarify that the Board
has not claimed any implicitly delegated authority beyond the
regulatory parameters established by Congress. The use of the
Section 101 and 102 authorities in this rulemaking is firmly
grounded within the explicit mandates provided by Sarbanes-Oxley,
and is consistent with the statutory limitations and directives
outlined in those provisions. The Board's application of these
authorities has been aimed at enhancing transparency and regulatory
oversight, and therefore ultimately the quality of audits of issuers
and broker-dealers, which directly aligns with the PCAOB's core
mission to protect investors and the public interest. The Board has
utilized the tools provided by Sarbanes-Oxley to carry out the
responsibilities entrusted to us.
---------------------------------------------------------------------------
Other commenters specifically raised concern related to reporting
requirements extending beyond a registered firm's issuer and broker-
dealer audit practice. In this vein, commenters raised authority
concerns with respect to particular aspects of the proposed
requirements:
<bullet> Fee reporting unrelated to issuer and broker-dealer
audits.
<bullet> Financial statements reporting, which would include
financial information beyond the audit practice.
<bullet> Cybersecurity incident reporting unrelated to a firm's
issuer or broker-dealer audit practices.
<bullet> Governance reporting such as processes governing a change
in the form of organization.
<bullet> Network-related reporting requirements which called for
information regarding the registered entity's relationship to an
unregistered entity.
<bullet> Material event reporting, which called for events material
to the firm broadly.
The PCAOB's statutory mandate is not circumscribed to information
related specifically to issuer or broker-dealer audits. Indeed, Section
102(b)(2)(B) expressly contemplates the provision of information
relating to ``other accounting services'' and ``non-audit services.''
That makes sense, as information related to a registered firm's broader
operations is relevant to the conduct of the audit practice.\67\
Nevertheless, the proposed requirements were crafted to elicit
reporting regarding aspects of a firm's operations that are linked to
its conduct of audits as described above, including the relationship of
the audit practice to the overall business, firm and network resources
available for the audit practice, and events at the firm level that
will affect the firm's ability to conduct audits. In consideration of
comments and the Board's intended reporting objectives, nearly all of
the specific requirements listed above have been modified to more
firmly link the reporting requirement to aspects of the firms'
operations that may influence the conduct of audits overseen by the
PCAOB, as described in more detail below.\68\
---------------------------------------------------------------------------
\67\ See PCAOB Release No. 2006-004, at 4 (the Board describing
that it intended fee reporting across all areas of the firm's
business to provide a ``picture of how the firm's services for
issuer audit clients compare generally with the firm's services for
other clients, and [ ] also [to] provide a picture of the allocation
of services the firm provided to issuer audit clients'').
\68\ With respect to financial statement reporting, the Board
has modified the requirement to reduce costs to firms as discussed
below. In addition, the Board notes that the requirement as
initially proposed (and as the Board has adopted) is already
narrowly tailored to the largest firms, which have an outsize impact
on the capital markets.
---------------------------------------------------------------------------
Lastly, as noted above, the Board reiterates that the final
amendments set forth reporting requirements and do not purport to
regulate how audit firms conduct their businesses. The final rules do
not impose obligations on firms beyond reporting certain specified
information.
2. Confidentiality
Information To Be Reported Publicly
The proposal clarified that certain of the information provided in
response to the new reporting items would be reported publicly, namely
enhanced fee information, governance and network information, and
information related to a firm's policies and procedures, if any, that
are intended to manage cybersecurity risks.\69\ The Board did not
propose to permit confidential treatment requests for the publicly
reported information. Permitting confidential treatment would be
inconsistent with an important goal of these enhanced reporting
requirements--informing investors, audit committees, and other
stakeholders, and promoting investor confidence in public company
audits and financial reporting. Moreover, the Board explained in the
proposal that it believed public disclosure of the proposed information
was consistent with Sarbanes-Oxley.
---------------------------------------------------------------------------
\69\ The proposal also contemplated a public one-time update to
the ``Statement of Applicant's Quality Control Policies,'' as
discussed below.
---------------------------------------------------------------------------
Specifically, Section 102(e) of Sarbanes-Oxley provides that
reports required under that section ``shall be made available for
public inspection, subject to rules of the Board or the Commission, and
to applicable laws relating to the confidentiality of proprietary,
personal, or other information.'' Additionally, it requires the Board
to ``protect from public disclosure information reasonably identified
by the subject accounting firm as proprietary information.'' Consistent
with the approach the Board has taken in its consideration of
confidential treatment requests for information required by its
existing forms, the Board understands ``proprietary'' to mean a
formula, practice, process, or design owned by a particular firm that
the firm keeps private for competitive advantage.\70\ The Board did not
believe at the time of the proposal that the information it proposed
for public reporting would require disclosure of such proprietary
information or, based on the Board's experience in this area, that any
other law shields the proposed information from disclosure.
---------------------------------------------------------------------------
\70\ See Black's Law Dictionary (11th ed. 2019) (cross
referencing ``proprietary information'' and ``trade secret'').
---------------------------------------------------------------------------
The Board believed that much of the information proposed to be
publicly reported is of the type that is already made public in some
form by audit firms, including in existing transparency reporting, or
is otherwise publicly available (although not currently centralized or
presented on a comparable basis), and the Board designed the proposed
reporting requirements to avoid disclosure of personal-identifying or
client-specific information that might be protected by law, or that
would be proprietary as the Board understands the term.
Some commenters expressed concerns that the Board's proposal would
not permit confidential treatment requests
[[Page 96723]]
for the public reporting items. One commenter stated that Sarbanes-
Oxley recognizes the role of confidential information in registration,
inspections, investigations, and disciplinary proceedings, including
the importance of the PCAOB maintaining the confidentiality of
proprietary, personal, or other information, and that the Board should
allow audit firms to request confidential treatment of the other
required public disclosures and evaluate these requests on a case-by-
case basis. One commenter stated that fee amounts are proprietary
information that should be confidential. Some commenters stated that
the proposal would require firms to disclose proprietary information
regarding their network-related arrangements, including network-related
financial information. A commenter stated the information called for by
Form QCPP would be proprietary and stated generally many of the firm's
operational plans and challenges are proprietary.
Lastly, some commenters questioned the PCAOB's decision to require
public reporting of some items, stating that the proposal does not give
sufficient weight to the way Congress envisioned investors would be
protected, which is through the PCAOB's inspection process, a process
that Congress carefully structured with appropriate confidentiality
safeguards to encourage robust exchanges of information and
perspectives between the firms and the PCAOB.
The reporting requirements have been modified in response to
comments, as discussed below, to further reduce the possibility that
they call for reporting proprietary information, including in
connection with the network-related reporting requirements. The Board
has further clarified in the release that the requirements are not
designed to elicit proprietary information, that information is sought
at a high enough level to exclude proprietary information, and that the
requirements are sufficiently principles-based to provide flexibility
in reporting, including as it relates to network-related information
and Form QCPP. The Board further notes that issuer fee information is
reported in SEC filings and therefore is already public. Lastly, the
reporting requirements have been modified to limit the disclosure of
individual names to all but the most senior positions. Thus, the Board
believes that the final amendments do not require the disclosure of
information that a firm could reasonably identify as proprietary, and
that, based on the Board's experience, no other law shields the
required information from disclosure.
By adopting this approach, the Board believes that prohibiting
confidential treatment requests for the carefully tailored public
reporting items will further the public interest in increased
transparency while adhering to its obligation to protect certain
categories of firm information.
In addition, the Board notes that Sarbanes-Oxley expressly provides
for the public reporting of audit firm information. Comments suggesting
that investor protection is principally achieved through non-public
submission of information to the PCAOB through its inspection processes
do not adequately account for this aspect of Sarbanes-Oxley. The Board
has carefully weighed its authority and obligations under Sarbanes-
Oxley when considering what reporting to make public and what
information to require on a non-public basis.
Some commenters expressed general concerns regarding the disclosure
of personal data by non-U.S. firms. The Board notes it is narrowing the
category of individuals identified under the final rules to more senior
roles likely to be public. See below for a more complete discussion of
personal identifying information and provisions regarding conflicts of
laws and non-U.S. firms, including that the Board has permitted
assertions of conflicts in connection with the disclosure of certain QC
roles.
Information To Be Reported Confidentially
Under the proposal, certain other information would be provided to
the PCAOB confidentially, namely special reporting of material events,
cybersecurity incident reporting, and financial statements from the
largest firms.\71\ In proposing not to make this information publicly
available, the Board weighed the public interest in public reporting of
this information, the potentially sensitive and developing nature of
the information requested, and the Board's obligations under Sarbanes-
Oxley.
---------------------------------------------------------------------------
\71\ Such information described herein would be reported
confidentially without a need for the firm to request confidential
treatment.
---------------------------------------------------------------------------
With respect to material event reporting, the Board noted the
potentially sensitive and developing nature of this information. For
example, the material event reporting item contemplated advance
reporting of events that are anticipated and may still be developing.
Cybersecurity incident reports, similarly, may involve developing
events. As detailed below, the Board believes the PCAOB has a
regulatory interest in timely notice of these types of events. However,
the Board believes firms may be in a better position to report fully
and candidly to the PCAOB about developing events if they are confident
that the information would be confidential and part of an ongoing
dialogue between the firm and the PCAOB regarding such events.
Further, with respect to cybersecurity incident reporting, the
Board considered the potential that public reporting of such
information could create vulnerabilities for the audit firm (e.g.,
reporting would provide information that bad actors could leverage
against the audit firm) in addition to the potentially developing
nature of such incidents at the time of reporting. While the Board
believes that cybersecurity incident information could be reported in a
summary fashion that both protects the audit firm and informs the
public, the Board thinks it may better facilitate timely reporting of
such information if firms are not required to expend the resources and
time necessary to consider the implications of public reporting of
cybersecurity incident information and carefully scope it in deference
to public reporting. In addition, the Board notes that there are state
and consumer laws and regulations that require notification to
individuals in cases of compromised data.
Finally, in certain limited circumstances, some of the financial
information included in financial statements may be subject to laws
relating to the confidentiality of proprietary, personal, or other
information, or might reasonably be identified by a firm as
proprietary, and there the Board would need to honor a firm's properly
substantiated request for confidential treatment of such information.
The Board does not believe the public interest would be served by
incomplete, piecemeal reporting of a firm's financial information.
Some commenters recommended that the Board expand the scope of
publicly reported information by making audit firm financial statements
public. Some commenters encouraged the PCAOB to maintain
confidentiality in perpetuity for items collected under this new
disclosure regime (i.e., financial statements, cybersecurity incidents,
and certain special reporting events). A commenter requested that the
PCAOB clarify explicitly whether these new reporting items would remain
confidential. One urged the Board to provide more detail on
confidentiality protections over these enhanced areas of reporting.
Another suggested that the expanded fee information, cybersecurity
related policies and procedures, and certain firm governance and global
[[Page 96724]]
network information should also receive confidential treatment. One
commenter asked that smaller firms receive an option to request
confidential treatment due to the disproportionate costs they face.
As explained in the proposal, the Board sought to achieve a balance
between protecting potentially proprietary, sensitive, and developing
information that could reveal firm vulnerabilities, on the one hand,
and serving the public interest in transparency on the other. The Board
still believes it strikes an appropriate balance to require that the
financial statement, material event, and cybersecurity incident
reporting requirements be confidential, while requiring other reporting
areas to be public. The Board believes that much of the information
required to be publicly disclosed is of the type that is already
publicly available in some format, i.e., the type of fee, governance,
and network information that the Board requires is of the type that
some firms already report in voluntary transparency reports or on their
websites. Moreover, in cases where such information is not currently in
the public domain, the nature of the applicable disclosure requirement
is sufficiently general and principles-based that it should not expose
a firm to significant vulnerabilities or the disclosure of proprietary
information. And the Board has further modified the final amendments to
mitigate the possibility of the disclosure of proprietary information
or personal data in the public reporting requirements, as discussed
above. At the same time, the Board continues to believe that the
potentially proprietary, sensitive and developing nature of certain
information militates in favor of confidential reporting, and that
confidential reporting would promote more candid reporting that would
better serve the PCAOB's regulatory oversight objectives.
In addition, the Board clarifies that it does not intend to make
public the information that would be reported confidentially under the
final amendments. Discussion in the proposal of information that may be
made public in the future was limited to two scenarios. First, the
proposal stated that the Board intended to analyze reported information
to determine if further information should be made public pursuant to a
later rulemaking. In other words, the Board may in the future require
additional public reporting, but such reporting would be required
pursuant to a further rulemaking initiative. The Board does not intend
to retroactively make public information submitted under the final
amendments. Second, the Board may consider making certain reported
information public in an anonymized and aggregated fashion that would
not compromise the confidential nature of any individual firm's
disclosure. This is consistent with the Board's current practice in,
for example, staff publications \72\ and is consistent with the Board's
obligations under Sarbanes-Oxley to protect certain categories of
information. Neither discussion was intended to convey that the Board
intended to make public any information submitted by an individual firm
on a non-public basis pursuant to the final amendments.
---------------------------------------------------------------------------
\72\ See PCAOB, Staff Publications, available at <a href="https://pcaobus.org/resources/staff-publications">https://pcaobus.org/resources/staff-publications</a>.
---------------------------------------------------------------------------
Confidential Status of Reported Information
Some commenters suggested that any information required by the
proposal should be submitted by firms to the PCAOB only through the
inspections process so that the information acquired the protections of
Section 105(b)(5) of Sarbanes-Oxley. One commenter expressed that it is
unclear whether confidentiality protections under Section 102 of the
Sarbanes-Oxley Act would provide the same level of assurance of
confidentiality protection as that provided by Section 105(b)(5). This
commenter discussed that it would be unclear how the Board interprets
its duties under the Sarbanes-Oxley in scenarios where the PCAOB
receives requests for confidential information from third parties not
covered by Section 105(b)(5) and where the PCAOB makes information
reported under the proposal available to other agencies. Another
similarly stated that any information the Board is seeking for its own
use in overseeing registered firms through confidential submissions
should continue to be collected pursuant to the PCAOB's inspection
process. A commenter also asserted that the PCAOB should clarify that
Section 105(b)(5) applies to any information or data reported to the
PCAOB on a confidential basis.
Under Sarbanes-Oxley Section 102(e), the information provided under
this section ``shall be made available for public inspection, subject
to rules of the Board or the Commission, and to applicable laws
relating to the confidentiality of proprietary, personal, or other
information contained in such applications or reports, provided that,
in all events, the Board shall protect from public disclosure
information reasonably identified by the subject accounting firm as
proprietary information.''
In addition, under Section 105(b)(5) of Sarbanes-Oxley,
``information prepared or received by or specifically for the Board,
and deliberations of the Board and its employees and agents, in
connection with an inspection under section 104 or with an
investigation under Section 105, shall be confidential and privileged
as an evidentiary matter'' subject to certain limitations and
exceptions.
The Board has relied principally on Section 102, rather than
Sections 104 or 105, to require reporting of the information to be
provided under the final amendments, but has set forth in the final
amendments that certain categories of information shall be
confidential. In general, as described above, the Board does not intend
to make public the information reported confidentially by an individual
firm under the final amendments.\73\
---------------------------------------------------------------------------
\73\ This is subject to the enumerated exceptions in Section 105
related to sharing with, among other entities, the SEC.
---------------------------------------------------------------------------
The Board notes that it is the intended purpose of the final
amendments that the information be used in connection with inspections
authorized under Section 104 as detailed below.\74\ In particular, the
Board currently collects financial statements for certain large firms
as part of its inspection process as noted in the proposal. The
financial statement reporting requirement included in the final
amendments is intended to improve the standardization and consistency
of the provision financial statements, specifically with reference to
(though not expressly limited to) their use by the inspection staff in
the course of annual inspections of those firms. In this regard, the
Board believes that the information collected on a confidential basis
under the final amendments to inform the PCAOB's oversight of firms,
particularly financial statements collected to inform inspections, may
be subject to the privileges afforded information received by the Board
in connection with an inspection under Section 104.\75\ To make more
apparent the Board's intention in this regard, the Board has moved the
rule mandating the reporting of financial statements to Section 4:
Inspections in the Board's rules and renumbering accordingly. The Board
believes this renumbering is more
[[Page 96725]]
consistent with the current and intended inspection use of financial
statements.
---------------------------------------------------------------------------
\74\ This does not foreclose other uses.
\75\ Subject to certain exceptions, documents and information
prepared or received by or specifically for the Board, in connection
with an inspection under Section 104 of Sarbanes-Oxley, shall be
confidential and privileged as an evidentiary matter under Section
105(b)(5) of Sarbanes-Oxley.
---------------------------------------------------------------------------
With respect to confidentially reported information, the Board
notes there are compelling reasons to resist any publication or sharing
of this information as discussed throughout the release. For example,
material event reporting may implicate information that is sensitive
and/or proprietary and, in certain instances, protected from disclosure
under Sarbanes-Oxley. Cybersecurity incident reporting may implicate
information that could give rise to security issues for registered
firms or otherwise compromise sensitive aspects of a firm's operations.
Finally, the Board observes that, with respect to information
reported confidentially, the Board has historically provided firms an
opportunity to request notification in the event that the Board is
requested by subpoena or other legal process to disclose such reported
information.\76\ The Board believes that such a provision is
appropriate with respect to the confidentially reported financial
statements, material events, and cybersecurity incidents and are
modifying Forms 2 and 3 to provide firms this option.
---------------------------------------------------------------------------
\76\ See, e.g., Form 1-WD, General Instruction 5 (``Pursuant to
Rule 2107, any Form 1-WD filed with the Board shall be non-public. A
registered public accounting firm may submit with Form 1-WD a
request for Board notification in the event that the Board is
requested by subpoena or other legal process to disclose the Form 1-
WD. The Board will make reasonable attempts to honor any such
request, although the Board will make public the fact that the firm
has requested to withdraw from registration.'').
---------------------------------------------------------------------------
3. Assertion of Conflicts of Laws
The Board acknowledges that there may be certain limitations with
respect to the data or information about a firm and its personnel that
a firm may communicate publicly because public dissemination of it may
conflict with a non-U.S. law. In considering whether to allow the
opportunity to assert conflicts, the Board has considered both whether
it is realistically foreseeable that any law would prohibit providing
the required information and, even if it were realistically
foreseeable, whether allowing a firm preliminarily to withhold the
information is consistent with the Board's broader responsibilities and
the particular regulatory objective.\77\ In addition, even where the
Board has allowed registered firms to assert legal conflicts in
connection with other forms, that accommodation does not entail a right
for a firm to continue to withhold the information if it is
``sufficiently important.'' \78\
---------------------------------------------------------------------------
\77\ See PCAOB Rel No. 2015-008, at 37.
\78\ See, e.g., PCAOB Release No. 2008-004, at 37-38 n.37.
---------------------------------------------------------------------------
At the time it implemented Form 2, the Board extended an
accommodation to registered non-U.S. firms by permitting them to
request confidential treatment of information provided in response to
Form 2, Item 3.2 (Fees Billed to Issuer Audit Clients).\79\ The staff's
experience of reporting in response to that item has suggested that
such an accommodation is not necessary. The Board has not granted a
request for confidential treatment for information reported under this
item, and it is not aware of any law that prohibits providing the fee
information that is currently required or the fee information that the
Board proposed to require. The Board notes that audit firm fee
information is routinely reported under various international
transparency directives, as well as pursuant to SEC issuer reporting
requirements. Accordingly, the Board proposed to revise the
instructions to Form 2 to delete the language permitting foreign
registered firms to seek confidential treatment of information provided
in response to Form 2, Item 3.2.
---------------------------------------------------------------------------
\79\ For a firm to request confidential treatment, PCAOB Rule
2300, Public Availability of Information Submitted to the Board;
Confidential Treatment Requests, at (c)(2) requires both a
representation that the information has not otherwise been publicly
disclosed and either (1) a detailed explanation of the grounds on
which the information is considered proprietary, or (2) a detailed
explanation of the basis for asserting that the information is
protected by law from public disclosure and a copy of the specific
provision of law.
---------------------------------------------------------------------------
With respect to the remaining information the Board proposed to
require (with the limited exceptions of certain QC roles identified
below), based on the Board's experience in this area, the Board did not
foresee a realistic possibility that any law would prohibit a firm from
providing the information. As noted above, in general, the Board
believes that the information to be publicly reported is of the type
that is already made public in some form by audit firms, including in
existing transparency reporting, or is otherwise publicly available.
The Board has also designed the reporting requirements with a view to
avoiding personal identifying or client-specific information of the
sort that could be protected by law.\80\
---------------------------------------------------------------------------
\80\ The Board acknowledges certain requirements call for the
names and titles of those in audit firm leadership positions.
However, the Board believes the reporting requirements call for
information regarding individuals in sufficiently senior positions
that such information should already be public, with the limited
exceptions of certain QC roles discussed below assertions of
conflicts will be permitted for non-U.S. firms.
---------------------------------------------------------------------------
Several commenters urged the PCAOB to retain the existing
confidentiality treatment provision in Form 2 and extend such provision
to cover the proposed disclosure items in order to allow non-U.S. firms
to request confidential treatment where a required disclosure by a firm
would be in conflict with applicable local laws/regulations. Commenters
clarified that allowing such requests would protect against future
conflicts of law that might develop. One commenter stated that they
understood from non-U.S. firms that some of the proposed new required
disclosures go beyond what non-U.S. regulators require and may lead to
violations of local laws resulting from disclosure of information that
non-U.S. auditors are required to keep confidential.
As an initial matter, after considering the comments, the Board has
decided to maintain its decision to eliminate the instructions to Form
2 with the language permitting foreign registered firms to seek
confidential treatment of information provided in response to Form 2,
Item 3.2. Commenters have not brought to the Board's attention specific
laws that would prohibit disclosure of this item, including in its
amended form requiring fee amounts. The Board received general comments
on fee amounts, as opposed to proportions, implicating proprietary
information. However, the Board notes the fee information would be
reported on an aggregated basis. Even if a firm has limited clients or
a single issuer client, it is not clear how that would implicate
information that would be prohibited from disclosure by law, especially
in light of the public reporting of such information under SEC rules.
With respect to personal data, as discussed below, the Board has
limited requirements to only the more senior roles that it believes are
most likely to be public. With respect to certain individual names that
may be less senior or less likely to be otherwise publicly disclosed
(QC operational and oversight roles), the Board further is permitting
non-U.S. firms to assert conflicts. Commenters did not identify other
categories of personal data that could not be disclosed under foreign
law. In general, the comments the Board received on this issue did not
identify specific provisions of laws, or existing rulemaking efforts,
that would create conflicts between those laws and specific proposed
metrics. The conflicts purportedly identified were instead general or
speculative in nature.
[[Page 96726]]
Moreover, the Board believes the changes it has made to narrow the
roles reported, and the determination to permit assertions of conflicts
by non-U.S. firms for less senior roles, mitigate the potential for any
conflicts. Accordingly, the Board does not believe it is realistically
foreseeable that a law would prohibit the required additional
reporting. As such, the Board has not permitted assertions of conflicts
in the final amendments, with one exception, namely the QC oversight
and operational roles.
Discussion of the Reporting Updates
The Board has adopted amendments to Forms 2 and 3 to impose new
reporting requirements, and to implement a new form for firms to update
their ``Statement of Applicant's Quality Control Policies'' reported on
Form 1 \81\ on a one-time basis. This section discusses the specific
amendments.
---------------------------------------------------------------------------
\81\ The Statement of Applicant's Quality Control Policies is
currently reported on Form 1.
---------------------------------------------------------------------------
Financial Information
1. Fee Information
The Annual Report Form currently requires firms to report the
percentages of total fees that were billed to issuer clients for audit
services, other accounting services, tax services, and non-audit
services relative to the total fees billed for the period.\82\ When the
Board originally conceived this requirement, it intended for it to
provide ``a picture of how the firm's services for issuer audit clients
compare generally with the firm's services for other clients, and . . .
also [to] provide a picture of the allocation of services the firm
provided to issuer audit clients.'' \83\ The Board continues to believe
that such information is useful to investors and audit committees in
understanding a firm's audit practice, individually and relative to
other services provided. In the proposal, the Board explained that it
believed requiring reporting in actual dollar amounts, rather than
percentages, and providing more complete and further disaggregated fee
information, would increase the benefit of this reporting requirement.
---------------------------------------------------------------------------
\82\ See Form 2, Item 3.2.
\83\ See PCAOB Release No. 2006-004, at 4. With respect to the
PCAOB's regulatory authority to impose requirements to disclose non-
audit related fees, Sarbanes Oxley Section 102(d) gives the PCAOB
authority to require ``additional information as the Board or
Commission may specify, in accordance with subsection (b)(2).''
Section 102(b)(2)(H), in turn, specifies that such information can
be necessary or appropriate in the public interest or for the
protection of investors. Here, obtaining additional data on non-
audit services allows Form 2 user to better assess how the firm's
audit practice compares to other parts of its business. This is
consistent with the PCAOB's original rationale for collecting
information for fees from non-audit services.
---------------------------------------------------------------------------
Accordingly, the Board proposed to amend Form 2, Item 3.2 to
require enhanced information regarding a firm's audit fees.
Specifically, the Board proposed to require firms to report:
<bullet> Fees for audit services, in total and from
<bullet> issuers;
<bullet> broker-dealers;
<bullet> and other companies under audit (delineating sources,
e.g., fees from private company audits and custody rule audits); \84\
---------------------------------------------------------------------------
\84\ PCAOB Rule 1001, Definitions of Terms Employed in Rules, at
(a)(vii) defines ``audit services'' as follows:
With respect to issuers, the term ``audit services'' means
professional services rendered for the audit of an issuer's annual
financial statements, and (if applicable) for the reviews of an
issuer's financial statements included in the issuer's quarterly
reports or services that are normally provided by the accountant in
connection with statutory and regulatory filings or engagements for
those fiscal years; With respect to brokers and dealers, the term
``audit services'' means professional services rendered for the
audit of a broker's or dealer's annual financial statements,
supporting schedules, supplemental reports, and for the report on
either a broker's or dealer's compliance report or exemption report,
as described in Rule 17a-5(g) under the Exchange Act.
---------------------------------------------------------------------------
<bullet> Fees from other accounting services; \85\
---------------------------------------------------------------------------
\85\ PCAOB Rule 1001(o)(i) defines ``other accounting services''
as assurance and related services that are reasonably related to the
performance of the audit or review of the client's financial
statements, other than audit services.
---------------------------------------------------------------------------
<bullet> Fees from tax services; \86\ and
---------------------------------------------------------------------------
\86\ PCAOB Rule 1001(t)(i) defines ``tax services'' as
professional services rendered for tax compliance, tax advice, and
tax planning.
---------------------------------------------------------------------------
<bullet> Fees from non-audit services.\87\
---------------------------------------------------------------------------
\87\ PCAOB Rule 1001(n)(ii) defines ``non-audit services'' as
all services other than audit services, other accounting services,
and tax services.
---------------------------------------------------------------------------
The proposal, in contrast to the current Form 2 requirement, would
have required reporting of fees billed in these categories from all
clients rather than from issuer audit clients.
Some commenters generally supported the proposed enhanced fee
requirements, with one commenter noting that the allocation of fees
between issuers, broker-dealers, and non-PCAOB clients may be useful to
investors and audit committees in assessing the qualifications of
potential audit firms. One commenter noted that the disaggregation of
fees between issuer and broker-dealer audit clients may provide
relevant information about the nature of the firm's activities and
expressed support for disclosure that enabled comparison of a firm's
issuer audit practice as compared to its other practice.
Some commenters expressed concerns about the usefulness of proposed
enhanced fee reporting, including skepticism that reporting in actual
fee amounts would provide greater insight than fee information reported
in percentages, noting the proposed fee categories deviate from fee
disclosures required in SEC proxy statements and suggesting the fee
information in existing Form 2 requirements and proxy statements
provides adequate insight into audit fees. One commenter suggested that
retaining percentage-based disclosure would allow stakeholders to
remain focused on meaningful metrics. One commenter stated the proposed
fee disclosure was tantamount to detailed segment disclosure of revenue
across service lines and suggested the proposed requirement conflicts
with the Board's proposed confidential approach to reporting financial
statements. Some commenters questioned whether any inferences regarding
audit quality could be drawn from the proposed fee disclosures and one
suggested fee disclosures, if any, should be limited to fees for
services to issuers and broker-dealers and fees provided to other
clients. Some commenters also questioned whether the proposed fee
disclosures would increase comparability, noting the differences of
size and structures of firms.
Other commenters stated that reporting fees at the proposed level
of granularity would represent substantial costs for firms, with one
commenter particularly highlighting difficulties of reconciling timing
and allocation of private company audit fees. That commenter also
stated that the level of precision the proposal would require is
inconsistent with the PCAOB's original rationale for fee reporting and
suggested more research before implementing the proposed requirement.
Another commenter stated that reporting fees at the proposed level of
specificity would require transformation of finance systems for many
firms, stating that the proposal would eliminate a reliable existing
source of fee data in SEC disclosures, remove the current Form 2
provision that allows for estimates, and require special tracking fees
for the new PCAOB fee categories. Another commenter stated that,
because its issuer audit practice is small, the costs of fee disclosure
would be disproportionate to the number of audits impacted. One
commenter suggested that, if the Board proceeds with the fee proposal,
it should be modified to allow estimates, allow use of data already
required to be provided in SEC filings, allow for reporting based on
client or firm fiscal year end, and allow firms to
[[Page 96727]]
explain calculation methodology on Form 2. One commenter suggested, as
an alternative, that the Board consider better defining reporting
requirements to improve comparability and research further the
implications of disclosure at the proposal's level of granularity.
Some commenters questioned whether the proposed disclosure of fees
regarding non-PCAOB audits were within the PCAOB's remit or opposed the
level of disaggregation of the audit fees for non-PCAOB audits. Some
commenters suggested that the proposed disclosure of fees related to
non-PCAOB audits was in tension with the clarification and distinction
between services subject to and not subject to PCAOB oversight
discussed in proposed Rule 2400, Proposals Regarding False or
Misleading Statements Concerning PCAOB Registration and Oversight and
Constructive Requests to Withdraw from Registration or could cause
confusion about the scope of the Board's oversight that could lead to a
false sense of confidence in non-PCAOB aspects of a firm's operations.
Other commenters suggested the proposal steps into the regulation of
non-PCAOB audits.
In addition, commenters asked for clarification regarding the shift
from requiring disclosure of fees billed to issuers to fees billed to
all clients. Finally, some commenters asked for a materiality or de
minimis threshold for fee disclosures. One commenter stated that, under
current Form 2 reporting requirements, it would take a material
difference in fees to shift the percentage that is reported.
The Board also solicited comments on whether it should consider
changing the Form 2 reporting period, including to align with Form FM,
which commenters opposed.
The Board has adopted enhanced fee disclosure requirements with
modifications. The Board continue to believe that requiring disclosure
of actual fee amounts, rather than percentages, will increase the
usefulness of fee reporting. For example, disclosing actual fee amounts
of issuer audit fees will permit stakeholders to ascertain the size of
a firm's audit practice, isolate firms of similar size, and compare fee
information across a subset of similarly sized firms. In addition, the
Board continues to believe that, despite the availability of issuer-
level fee data in SEC filings, it is beneficial to provide aggregated
data to stakeholders, particularly investors, for whom it would
represent a significant cost to compile similar information from SEC
filings.
In consideration of comments, the Board has eliminated the proposed
requirement to provide disaggregated data for audit services billed to
non-issuer and non-broker-dealer clients (i.e., to non-PCAOB clients).
In addition, the Board has eliminated the requirement to report fees
billed to all clients for each of the four fee categories. While the
Board continues to believe that it is both within the PCAOB's statutory
authority, and an appropriate exercise of that authority, to require
reporting of information regarding an audit firm's operations that may
bear on its audit practice, the Board is mindful of comments regarding
the costs and ambiguities of disclosing at the proposed level of
granularity.
Accordingly, the modified amendment will require firms to report
the amount of fees billed to issuer audit clients for audit services,
other accounting services, tax services, and non-audit services during
the reporting period. These amounts represent the numerator for the
proportion that must currently be calculated in order to report the
percentages currently required on Form 2. In other words, this
amendment should not require any additional tracking or calculation by
firms. In addition, the modified requirement would require firms to
report the total fees billed by the firm to all clients for services
rendered during the reporting period. This amount represents the
denominator for the proportion that must currently be calculated in
order to report the percentages currently required on Form 2.
Therefore, again, this amendment should not require any additional
tracking or calculation by firms. Finally, the modified requirement
will require firms to report fees billed to broker-dealer audit clients
during the reporting period. The Board agrees with commenters that
supported this element of the proposal and continues to think it is
appropriate to provide some insight into the broker-dealer practice in
relation to the firm's other practices.
Further, in a change from the proposal, for fees billed to issuer
audit clients, the modified requirement will retain Form 2's existing
provision permitting a firm to identify whether it is reporting amounts
for the Form 2 reporting period or fee amounts disclosed to the
Commission by those clients for each client's fiscal year. It will
further retain Form 2's existing provision allowing firms to indicate
if they have used a reasonable method to estimate amounts and to
describe its reasons for doing so. It will not retain the Form's
current rounding provision as that provision refers to rounding
reported percentages to the nearest five percent and would be
inapplicable to reported amounts. Instead, it will substitute language
permitting rounding to the nearest dollar amount.
The Board believes these changes will ease implementation and costs
associated with enhanced fee reporting while still providing the most
useful proposed additional information to investors, audit committees,
and other stakeholders, and better aligning the fee disclosure
requirement on Form 2 with those required in other jurisdictions, such
as the EU.\88\
---------------------------------------------------------------------------
\88\ The changes will not accomplish perfect alignment with EU
reporting categories but better align with that reporting regime
while maintaining SEC fee reporting categories.
---------------------------------------------------------------------------
As proposed, the Board has not adjusted the Form 2 reporting period
to align with the Form FM reporting period or otherwise.
Lastly, the Board has not adopted a materiality or de minimis
threshold in connection with the obligation to amend forms to correct
information that was incorrect at the time the report was filed or to
provide information that was omitted from the report and was required
to be provided at the time the report was filed. Historically, the
Board has not established, and has not found necessary, materiality or
de minimis thresholds in connection with form amendments. The Board
believes that implementing a materiality or de minimis threshold would
introduce unnecessary complexity and uncertainty to the form amendment
process and, further, would potentially threaten, or be perceived to
threaten, the accuracy and reliability of reported information, thereby
undermining the intended purpose of the amendments. The Board notes
that rounding and reasonable estimates are permitted in connection with
fee reporting. There is no expectation that differences in reported
amounts within the rounding threshold, or differences between actual
and estimated amounts, would require amending the form to correct
reported amounts.
2. Financial Statements
In addition to enhanced fee information, the Board proposed to
require that the largest firms provide financial statements to the
PCAOB annually on a confidential basis. The Board proposed to define
the largest firms as those that issued more than 200 reports for issuer
audit clients and had more than 1,000 personnel during the relevant
reporting period.\89\ The Board
[[Page 96728]]
proposed that such financial statements be reported in accordance with
the applicable financial reporting framework in the firm's jurisdiction
(i.e., either U.S. GAAP or IFRS, exclusively) \90\ but would not be
required to be audited. The Board proposed to provide for an extended
transition period of three years in connection with this requirement.
For years 1 and 2, firms would have been permitted to provide financial
statements that do not conform to the applicable financial reporting
framework, provided that they (1) identify the information that is not
readily available but is required to produce U.S. GAAP or IFRS
statements, and (2) provide notes that would reconcile non-conforming
financial statements to the applicable financial reporting framework.
The Board proposed to require that the largest firms submit financial
statements for the most recent fiscal year ended during the Annual
Report Form reporting period. The Board did not propose to define a
fiscal year for reporting firms.
---------------------------------------------------------------------------
\89\ The number of firm personnel is currently reported in Item
6.1 of Form 2 and information regarding audit reports for issuers is
currently reported in Item 4.1 of Form 2. As of December 31, 2023,
the registered firms that meet such criteria audit issuers that
possess a combined market capitalization of $62.19 trillion, which
represents 99.82% of the total market capitalization of all issuers
audited by registered firms.
\90\ The firms that would currently meet this threshold are U.S.
firms; therefore, the applicable financial reporting framework would
be U.S. GAAP.
---------------------------------------------------------------------------
Further, the Board did not propose public reporting of financial
statements. The Board did propose, however, to modify the Annual Report
Form to include a checkbox for the largest firms to indicate they have
submitted financial statements confidentially to the PCAOB.
As discussed in more detail in the proposal, the Board believes
requiring financial statements from the largest firms will enhance the
PCAOB's oversight and monitoring of these firms and the audit market.
This information will help the PCAOB better understand a registered
firm's audit practice, the relationship of its audit practice to its
overall business, and the overall financial stability of a firm. An
assessment of audit firm resources will enable the Board to understand
a firm's capacity to withstand risks associated with events such as a
firm's break-up, court judgments against the firm, or threats to global
networks or other affiliates that may require the firm's support. The
financial statement information will inform the PCAOB's inspection
function by providing a baseline understanding of a firm's operations,
the resources devoted to its audit practice, and its focus and
incentives. Further, financial information will inform overall economic
and risk analysis, including as it relates to analysis performed to
support standard-setting, inspections, and enforcement activities, and
the Board's overall oversight.
Finally, the Board explained in the proposal that requiring this
information to be presented in accordance with an applicable financial
reporting framework will increase the usefulness of this information to
the PCAOB by facilitating analysis and comparison across firms and
ensuring the information is presented completely and in an accessible
manner.
General Comments
Some commenters supported the proposed financial statement
requirement generally, noting its consistency with the ACAP
recommendation. These commenters also supported requiring financial
statements to be public and audited, citing prior IAG discussions and
the ACAP recommendation, and stating auditing firms in the UK have
publicly issued annual reports containing audited financial statements
for a dozen years. These commenters stated that investors would find
aspects of audited financial statements and related footnotes useful
when making proxy voting decisions or exercising oversight
responsibilities over public company audit committees. They also stated
that aspects of the independent auditor's report would provide useful
information to investors when making proxy voting decisions or
exercising oversight responsibility over public company audit
committees.
Some commenters opposed any auditing requirement. Others supported
maintaining the confidentiality of financial statements, including
suggesting that disclosure of confidential financial information could
expose firms to competitive and other risks. One commenter suggested
that public reporting of financial statements could mislead the public
into believing that all areas of the audit firm's business are subject
to PCAOB oversight.
Others opposed the financial statement requirement generally and
raised questions regarding the value of the reported information to the
PCAOB, including stating that the proposal does not identify specific
actions the Board would take, or could take within its authority, if it
identified solvency-related information and asking for more clarity on
how the Board would use the information, questioning how the
information would improve audit quality and safeguard investors, and
noting that the PCAOB has access to financial statement information
through the inspection process. One commenter stated that there would
be few firms that would qualify for the financial statement requirement
and they would be submitted confidentially; therefore usefulness and
benefits of the data would be limited but still involve tremendous
cost. Some commenters questioned whether the requirement is within the
Board's authority, with one specifically noting the requirement to
delineate financial statements by service line and stating the proposal
is in conflict with the Board's Rule 2400 proposal.
The Board has adopted the proposed financial statement reporting
requirement with modifications. For the reasons noted in the proposal,
the Board continues to believe that requiring the largest firms to
report financial statements to the PCAOB annually will enhance PCAOB
oversight of these firms. As commenters observed, the PCAOB can
collect, and at times (including at present) has collected, financial
statements from larger firms through its inspection function. However,
the financial statements have not been provided in a consistent and
readily comparable form when collected in the inspections context. The
Board continues to believe that financial statements are useful in the
inspection context to broadly understand the firm's business and
allocation of resources, and further believes that the utility will be
enhanced by the increased standardization and consistency that will
result from formalizing the collection of financial statements through
a reporting requirement. For example, more standardized reporting of
financial information will better enable the Board to understand the
allocation of resources to a firm's audit practice, including changes
in resources available from year to year. As another example, reliable
year-over-year collection of financial statements will increase their
usefulness in producing research to inform standard-setting and
rulemaking. In addition, having more standardized financial statements
on hand will assist the Board in understanding a firm's ability to
withstand potential solvency threatening events reported under other
provisions of the final rules.
The Board agrees with commenters that confidential collection of
financial statements is appropriate at this time. The Board
acknowledges investor comments that aspects of financial statements may
be useful to them in exercising voting and oversight responsibilities
but, at present, continues to believe it does not have sufficient
information regarding what
[[Page 96729]]
specific elements of financial statements, or how financial statements
as a whole, would serve the public (in contrast to regulatory use of
such information, which has been demonstrated in the inspections
context). Moreover, in certain limited circumstances, elements of
financial statements may constitute proprietary information.
Accordingly, the Board has adopted the requirement that financial
statements be reported confidentially, as proposed. The Board has added
an instruction to Form 2 to clarify that financial statements shall be
submitted confidentially. Given the confidential nature of the
reporting, the Board continues to think an auditing requirement would
have less utility (as compared to requiring auditing for publicly
reported financial statements), as the Board is well-positioned to
understand any limitations that a lack of reasonable assurance implies.
Moreover, the reported information would be subject to the
certification contained in Form 2 that it does not contain any untrue
statement of a material fact.\91\
---------------------------------------------------------------------------
\91\ See Form 2, Part X.
---------------------------------------------------------------------------
Lastly, the commenters generally agreed with the proposal not to
define a firm's fiscal year for purposes of the financial statement
requirement. As proposed and consistent with comments received, the
Board has not defined a fiscal year in connection with this
requirement.
Comments on GAAP/IFRS
Some commenters supported the proposal to require financial
statements to be reported in accordance with an applicable financial
reporting framework, i.e., GAAP or IFRS. Other commenters opposed the
GAAP requirement, or expressed concerns, stating that it should not be
necessary to achieve the Board's objectives, and the Board does not
have a regulatory need for comparability, and questioned how the
information would be useful to the Board. Others stated that
comparability would be hindered including due to differences in firm
structures. Some commenters stated that any additional information
should be collected through the inspection process which would permit
dialogue or follow-up requests.
Some commenters noted that most firms do not prepare GAAP financial
statements. Commenters also noted in connection with this requirement
that firm business models and structures vary, reporting per an
applicable financial reporting framework would not serve a business
purpose for the firm, and firms would incur significant costs to
prepare GAAP financial statements, with one commenter noting smaller
firms would find the requirement particularly burdensome. One commenter
stated that GAAP financial statements may require consolidation of
subsidiaries, which could include international businesses and other
service lines, which may include more information than intended by the
proposed requirement. Another commenter stated that firms as privately
held entities should have flexibility to provide financial statements
in the form used by firm management. One commenter stated that its
audit practice is a small part of its overall business and therefore
its financial statements would predominantly not relate to its audit
practice.
A commenter noted that the proposed reporting by business line will
create additional cost. Another commenter noted the need to clarify the
delineation of statements by business line, noting that GAAP may or may
not require such a delineation. Other commenters stated that to
reconcile non-conforming financial statements to the applicable
financial reporting framework during the proposed transition period
would essentially require firms to do GAAP during that period.
The Board has not adopted the requirement to report financial
statements in accordance with an applicable financial reporting
framework. As discussed in greater detail in Section D, the Board
understands that preparing financial statements in accordance with GAAP
will entail costs and that firms do not necessarily have a business
purpose for the preparation of such financial statements. However, the
Board continues to believe that standardizing to some degree the form
in which financial statements are reported will enhance the Board's
oversight, both with respect to the current use of financial statements
in the inspections context and for broader regulatory purposes that
more standardized reporting may enable, including to inform policy
research. However, the Board is persuaded that it can achieve a useful
degree of standardization without mandating reporting in conformity
with GAAP. Accordingly, the Board has adopted the rule without language
requiring reporting in conformity with an applicable financial
reporting framework.
The Board has retained the requirement that reported financial
statements should include a balance sheet, income statement, cash flow
statement, and notes to the financial statements for the entity
registered with the Board. The Board believes it is useful to set forth
the basic components that should be included in the financial
statements for clarity. The Board has also retained the requirement
that financial statements should delineate by service line (i.e., audit
services, other accounting services, tax services, and non-audit
services).\92\ This delineation is consistent with the Board's
historical rationale for requiring fees to be reported for these
categories, namely to understand the audit practice in context with the
firm's other lines of business. However, the Board has specified that
the delineation by service line should include, at a minimum,
delineation by service line of revenue and operating income. With
respect to revenue, given the current Form 2 requirements for fee
reporting with respect to these four service lines, and based on the
staff's oversight experience, the Board believes firms should already
be delineating fees in this manner. Narrowing this requirement to
revenue and operating income--instead of leaving the requirement
broadly applicable to all aspects of the financial statements or as
compared to GAAP segment reporting--should clarify the requirement and
ease implementation costs.
---------------------------------------------------------------------------
\92\ The proposed rule indicated that financial statements
should delineate by service line (i.e., audit services, other
accounting services, tax services, and non-audit services subject to
PCAOB oversight). The Board has clarified in the final amendments
that it means audit services, other accounting services, tax
services, and non-audit services as those terms are defined in the
Board's rules.
---------------------------------------------------------------------------
To achieve a further degree of standardization and, in turn, help
ensure the financial statements improve PCAOB oversight, the Board has
added language to require that financial statements should be prepared
on an accrual basis. Additionally, the Board has included language to
require reporting of significant ownership interests, private equity
investments, unfunded pension liabilities, and related party
transactions, including those with other members of a global
network.\93\ The Board believes specifying accrual basis of accounting
(1) should help ensure that the staff has access to audit firm
financial information that may impact the audit practice (e.g., accrued
compensation and benefits, post-retirement medical benefits,
distributions to former partners, accounts payable, long-term debt and
notes payable, reserves for claims, taxes, advance payments from
clients, lease obligations, related party obligations, and other
expenses
[[Page 96730]]
incurred); and (2) is generally consistent with current practice at
larger firms and should represent a lesser cost to firms than GAAP/IFRS
reporting would have entailed.\94\ Narrowly specifying certain
additional information will help ensure the staff obtains prioritized
information without imposing the costs of GAAP/IFRS reporting.\95\
---------------------------------------------------------------------------
\93\ The Board notes that it is declining at this time to
promulgate a more comprehensive framework for financial reporting by
audit firms in favor of these minimum specifications.
\94\ The Board notes that GAAP/IFRS financial statements are
accrual basis and the comments on that aspect of the proposal did
not specify that accrual basis in particular would be problematic or
costly. Indeed, a commenter stated that financial statements
prepared on a non-GAAP or modified GAAP basis using accrual
accounting reflect the way firms run their businesses and are
therefore more appropriate and useful for the PCAOB.
\95\ The Board believes the additional specified information is
of the type that would be called for by GAAP. See, e.g., ASC 810 and
ASC 850.
---------------------------------------------------------------------------
The Board believes these modifications balance the need for some
degree of standardization in order to improve staff oversight with the
costs to firms that conformity to GAAP/IFRS would have entailed.
In further consideration of comments regarding costs, the Board
continues to believe it is appropriate to confine this requirement to
the largest audit firms, which are better able to bear costs.
Accordingly, the Board has adopted the large firm threshold
substantially as proposed. The Board has modified the language
codifying the threshold to clarify that it depends on the number of
issuers for which a firm has issued audit reports, i.e., the
requirement applies to a registered public accounting firm that issued
audit reports for more than 200 issuers and had more than 1,000
personnel during the preceding Form 2 reporting period, rather than a
firm that has issued more than 200 audit reports. This better aligns
with information reported on Form 2.
Because the Board has not adopted the GAAP/IFRS requirement (and
therefore are not adopting segment reporting requirements or interim
requirements to reconcile non-conforming information) the Board has not
further addressed comments regarding tension between GAAP segment
reporting and reporting by service line, or comments regarding the
requirement to reconcile non-conforming information during the
transition period.
Comments on Authority
Some commenters suggested that requiring GAAP financial statements
exceeded the PCAOB's authority. Specifically, for example, a commenter
stated that it questioned the authority and rationale behind requiring
firms to change their basis of financial reporting when many use (and
may be required to use, pursuant to partnership agreements or other
obligations such as bank covenants and related arrangements) another
framework to manage and report on their business operations. The Board
thinks comments of this nature are mooted to a significant degree by
removing the requirement to report in conformity with an applicable
financial reporting framework. In addition to the above-referenced
general response regarding authority for these reporting requirements,
the Board notes that it is not purporting to dictate anything regarding
the financial reporting that a firm engages in for business and other
purposes. The exclusive purpose of the reporting requirement is to set
forth some minimum requirements for reporting to the PCAOB that will
enhance the PCAOB's oversight as it relates to the firm's conduct of
audits and the Board's objective of understanding the firm's audit
practice in relation to the conduct of its overall business.
Governance Information
The Annual Report Form currently requires firms to identify the
legal name of the firm, contact information for the firm, and a primary
contact person for the Board. In recent years, regulatory requirements,
investor demands, and market practices have come to reflect a consensus
around the importance of governance information to investors and audit
committees. For example, IOSCO, after extensive study and outreach,
published a guidance document for audit firm transparency reporting in
which it specified including a description of the firm's legal,
ownership, and governance structure.\96\ One disclosure guide for
transparency and audit quality reporting notes the direct relationship
between firm leadership and governance on the one hand, and audit
quality on the other, identifying governance and leadership as a
component of audit quality.\97\ Transparency regulations in other
jurisdictions require firms to publish certain governance
information.\98\ The prevalence of such information in mandatory and
voluntary transparency frameworks reflects its fundamental importance
to understanding and assessing an audit firm and its ability to deliver
audit services. Importantly, however, voluntary transparency reports
have not resolved the present opacity with respect to audit firm
structure, governance, and operations. The Board believes it can
mitigate the lack of transparency through enhanced governance reporting
requirements, which will also increase standardization of the
information available.
---------------------------------------------------------------------------
\96\ IOSCO, Transparency of Firms.
\97\ CAQ, Audit Quality Disclosure Framework (June 2023), at 8.
\98\ See, e.g., Regulation (EU) No 537/2014 at Article 13.
---------------------------------------------------------------------------
Accordingly, the Board proposed to amend Form 2 to create new Item
1.4 to identify the following enhanced governance-related information,
as rendered in the proposing release:
<bullet> the principal executive officer and all direct reports to
that officer, including names and titles; \99\
---------------------------------------------------------------------------
\99\ Direct reports to the principal executive officer should
not be understood to include administrative staff.
---------------------------------------------------------------------------
<bullet> the individuals who are responsible for various components
of the QC system (outlined in QC 1000, A Firm's System of Quality
Control), including the individual(s) with ultimate accountability for
the QC system as a whole;
<bullet> whether the firm has a governing board or management
committees to which the principal executive officer reports and, if so,
the identity of the members of that board or committee;
<bullet> the executive officer(s) who oversee(s) the firm's audit
practice;
<bullet> whether the firm has an external oversight function for
the audit practice composed of one or more persons who are not a
partner, shareholder, member, other principal, or employee of the firm
and does not otherwise have a commercial, familial, or other
relationship with the firm that would interfere with the exercise of
independent judgment with regard to matters related to the QC system
and, if so, the identity of the person or persons and an explanation
for the basis of the firm's determination that each such person is
independent (including the criteria used for such determination) and
the nature and scope of each such person's responsibilities (within
this release, such persons who meet the outlined criteria are referred
to as the firm's ``External QC Function (EQCF)''); \100\ and
---------------------------------------------------------------------------
\100\ See A Firm's System of Quality Control and Other
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Release No.
2022-006 (Nov. 18, 2022), at 97.
---------------------------------------------------------------------------
<bullet> a description of the legal structure, ownership, and
governance of the firm, including processes that would govern a change
in the form of the organization (e.g., what are the relevant governing
bodies, voting rights, and approval requirements relevant to such an
organizational change). In addition, the proposal would revise the form
to specify that a firm should identify any change in the applicant's
form of
[[Page 96731]]
organization reported on Form 1, Item 1.4.
With respect to the disclosure of the role of the EQCF within the
audit oversight function, as proposed, the firm would have been
obligated to report if such a role exists, and the name of any person
occupying that role.\101\ As proposed, in the event the firm reported
one or more persons occupying the EQCF on Form 2, the firm would also
have been required to report on Form 3 when such a person is appointed,
resigns, is dismissed, ceases to meet the criteria to serve in the
EQCF, or changes roles, the date of such event, and whether the change
was recommended or approved by any governing board or management
committee.
---------------------------------------------------------------------------
\101\ The Board proposed that the name of the proposed EQCF and
QC operational roles be subject to assertions of a conflict of laws
by non-US registered firms. The Board thinks the name of the EQCF
and QC operational roles are distinguishable from other names called
for by this section insofar as this name or names may not already be
public in connection with this role.
---------------------------------------------------------------------------
General Comments
Some commenters supported the proposed governance requirements,
noting that they agreed that voluntary transparency reports have not
resolved the present opacity with respect to audit firm structure,
governance, and operations, and the amendments could mitigate the lack
of transparency through enhanced governance reporting requirements,
which would also increase standardization of the information available.
Those commenters further stated they agreed that, among other things,
enhanced governance information would allow investors, audit
committees, and other stakeholders to better understand the practices
of firms and differentiate among firms with respect to, for example,
leadership, oversight of the audit practice, oversight of auditor
independence practices, and board of directors composition, including
independence of directors, and that requiring this information through
a reporting requirement would increase the standardization, and
therefore comparability, of information available to investors, audit
committees, other stakeholders, and the PCAOB. Another commenter stated
that the governance information may be useful to audit committees as
they make auditor selection and retention decisions.
One commenter stated that, while it had reservations, it agreed
with the Board's overall objective to obtain information regarding
audit firm governance to help investors, audit committees, and other
stakeholders better understand firm processes and priorities, and to
bolster the PCAOB's oversight of registered firms. Another commenter,
which also had reservations, noted that the proposed requirements would
provide the PCAOB, investors, and other stakeholders a view as to how a
firm is structured.
One commenter, while expressing other reservations, agreed that
audit quality is linked to strong firm leadership and governance.
Another commenter stated that the governance requirements may improve
audit quality by helping audit committees in their decision-making and
incentivizing firms to improve governance mechanisms, while at the same
time noting uncertainty about whether the requirement necessarily will
improve audit quality or whether any improvements would be meaningful
or consequential. This commenter noted the particular relevance of
legal, ownership, and governance structure since some firms are
beginning to explore alternative structures including employee stock
ownership and private equity investments, and recommended including a
specific requirement to identify voting rights and other restrictions
resulting from private equity investments.
Other commenters opposed and/or questioned the usefulness of the
proposed requirements:
<bullet> One commenter stated that the proposal did not clearly
articulate how the Board's proposed requirement would meet its
objective due to the duplicative nature of the disclosure requirements
and the availability of the information through alternative means.
<bullet> Another commenter objected overall to the governance
reporting requirements because it would include operational details of
audit firms that would not incrementally help stakeholders assess a
firm or its ability to deliver audit services.
<bullet> Another noted that it was unclear how the array of
information from all firms would be useful to stakeholders in assessing
a firm and its ability to deliver audit services.
<bullet> Other commenters generally questioned the usefulness of
the proposed items for investors or other stakeholders and/or how they
would use this information.
<bullet> A commenter stated that audit committees in their capacity
of overseeing the governance of auditors would be able to request and
secure whatever information they determine necessary to assess an audit
firm and its ability to deliver its services.
<bullet> One commenter questioned whether naming the individuals
involved in an audit firm's governance will provide any meaningful
benefit. This commenter also noted that users of this information would
presumably have to perform other research on each person in order to
realize any benefit. Another commenter stated it is unclear what
purpose reporting all direct reports to the principal executive officer
would serve. Another commenter noted the potential for
misinterpretation of certain elements, specifically highlighting
difficulties interpreting the requirement to report all direct reports
to the principal executive officer. Another commenter noted direct
reports to the principal executive officer may not be publicly
available information. Another commenter recommended striking the
requirement to include all direct reports.
<bullet> On the other hand, another commenter stated that by
providing the names of the individuals, it will be evidence that
someone has been assigned to each role and, by comparing to prior
periods, whether there has been turnover in these positions.
<bullet> Several commenters stated that there are certain elements
of the proposed governance reporting requirements that would mandate
disclosure of granular operational details for which the Board has
provided no evidence either of utility or decision-usefulness; these
include the principle executive officer, the names of the individuals
in the roles described in paragraph .12 of QC 1000 and the processes
that would govern a change in the form of the organization.
<bullet> One commenter stated that it found reporting of the
process that would govern a change in the form of organization to be
too detailed and, in some cases, these processes are fluid and could
evolve quickly as the change is occurring. A commenter noted that a
description of the processes governing a change in the form of the
organization can be complex and difficult to understand without
significant context and recommended striking the change in governance
requirement.
<bullet> Commenters noted the availability of governance
information to the PCAOB through the inspection process or other
avenues.
<bullet> Commenters stated that similar governance information is
available in transparency reports. Other commenters highlighted that
they provided similar information in their transparency reports.
<bullet> A commenter stated that ownership--particularly
percentages--
[[Page 96732]]
is confidential information and should not be disclosed publicly.
One commenter stated that it found this proposed requirement
burdensome and excessive, particularly when considering that firms
operate in a dynamic environment and may alter their structures and
change personnel on a frequent basis. That same commenter stated that
the proposed requirements included excessive granularity and may
require significant context to be understood. Another commenter stated
that the requirement to provide description of the legal structure,
ownership, and governance of the firm, including processes that would
govern a change in the form of the organization (e.g., what are the
relevant governing bodies, voting rights and approval requirements
relevant to such an organizational change) was the type of information
included in a partnership agreement, questioned why such information
should be made public, and stated that it is unclear how stakeholders
would use such information.
One commenter suggested that static, form-based reporting regarding
governance would not result in meaningful transparency for investors
and other stakeholders, and that governance reporting should be
formulated to advance the ability of stakeholders (including investors
and audit committees) to gain a holistic understanding of a firm's
approach to audit quality through the eyes of the firm's leadership. A
commenter recommended, if the Board moved forward with this
requirement, that it streamline the requirement to focus on the most
relevant information, in order to avoid duplication or overlap with
other requirements, which could cause confusion to stakeholders. That
commenter specifically recommended that the Board adopt a more general
requirement to describe a firm's governance structure, including as it
relates to the audit practice and system of quality management, without
specifically requiring some of the more prescriptive elements of the
proposal, stating that a more principles-based requirement is more
likely to be informative to stakeholders because the disclosure would
require firms to describe relevant parts of their own governance,
rather than structuring their disclosure around very specific
requirements that could be more relevant to some firms than others;
such an approach that is less prescriptive would recognize that firm
governance structures vary. A commenter recommended allowing firms to
incorporate their transparency reports by reference to reduce cost and
burden.
The Board continues to believe that requiring standardized
reporting of specified governance information will provide useful
information to investors, audit committees and the PCAOB. Investor
comments on the proposal support the contention that the governance
reporting requirements will provide meaningfully decision-useful
information to them. With respect to audit committees, the Board agrees
that audit committees can request specified information from firms.
However, the standardized reporting of governance information would
provide information across firms to facilitate comparison. The
standardized provision of this information will not impede audit
committees from requesting bespoke information from audit firms, nor
from engaging with firms however they choose. The Board will likewise
benefit from standardized information via a reporting requirement,
notwithstanding the staff's ability to request specified information
through the inspection process. For example, having increased and more
standardized information will increase the efficient use of inspection
resources by reducing supplemental or ad hoc requests.
While certain governance information may be available for certain
firms through, for example, transparency reports, as discussed in the
proposal, the Board continues to believe voluntary transparency
reporting has not adequately mitigated opacity with respect to audit
firm governance. Such reporting is inconsistent from year to year, from
firm to firm, and, for many firms, simply not available. Mandatory
reporting of specified governance information will increase the
consistency and comparability of information available to all
stakeholders. Allowing firms to substitute voluntary transparency
reports for specified reporting on Form 2 would be inconsistent with
this objective. Permitting firms to link to voluntary transparency
reporting through a PCAOB form may create a misimpression regarding the
reliability of such information.
With respect to suggestions to take a more principles-based
approach, the final amendments provide for narrative governance
disclosures, which balances the need for sufficiently prescriptive
requirements to promote standardization and comparability with the need
for flexibility to provide context and account for varying firm
structures.
In consideration of comments and to better achieve the Board's
regulatory objectives, the Board has modified certain elements of the
amendments to better tailor the requirements and ease implementation.
First, the Board has eliminated the requirement to report all direct
reports to the principal executive officer to mitigate any issues
regarding the disclosure of personal identifying information for
individuals whose names and positions may not otherwise be publicly
disclosed and whose positions may not be sufficiently germane to the
audit practice to merit public reporting. The final amendments retain
the requirement to disclose the principal executive officer, the
executive or executives who oversee the firm's audit practice, and the
QC roles (as described below), as the Board thinks these roles are
sufficiently important to the audit practice and sufficiently likely to
be public (except as noted below). The Board has also retained the
requirement to disclose whether the firm has a governing board or
management committees to which the principal executive officer reports
and, if so, the identity of the members of that board or committee. The
Board believes such positions are of sufficient seniority to likely be
public and that such information is important to understanding overall
firm governance. Second, the Board has eliminated the requirement to
provide a description of the processes that would govern a change in
the form of organization, as the Board intends the requirement to
provide higher level governance information and is mindful that this
provision may introduce more complexity than intended. Striking this
provision also increases consistency with the EU directive
requirements.
QC Comments
The Board received comments specific to the proposed reporting of
QC roles. Some commenters supported reporting of some or all of the
proposed QC roles. One commenter supported disclosure, at least for
some firms in some form, of certain QC roles including the principal
executive officer (as the individual with ultimate responsibility and
accountability for the firm's system of QC as a whole) and the
individual assigned operational responsibility and accountability for
the system of QC as a whole. At the same time this commenter objected
to the proposed disclosure of the EQCF or any similar role.
Some commenters noted that certain disclosures, such as those
related to individuals with ultimate accountability for the QC system,
overlap with roles to be reported under QC 1000 and recommended
eliminating duplication
[[Page 96733]]
between this requirement and QC 1000 reporting requirements. Commenters
stated that public disclosure of the QC roles on Form 2 was
inconsistent with confidential reporting on Form QC and/or stated that
the disclosures related to the QC system should be confidential
consistent with reporting under QC 1000. Another commenter highlighted
internal duplication within the proposed governance reporting,
specifying that both proposed Item 1.4.a (principal executive officer)
and 1.4.e (roles identified in paragraphs .11 and .12 of QC 1000) would
necessitate the disclosure of the principal executive officer of the
Firm. One commenter noted that, with respect to the QC roles, QC 1000
and Form 2 cover different periods, thus, the disclosures could be
different between Form QC and Form 2. One commenter suggested retaining
the disclosure of the individual with overall responsibility for the QC
system as a whole but striking the requirement to disclose the QC
operational roles.
Another commenter observed that the proposal would require a firm
to disclose whether it has an independent oversight function for the
audit practice, while the newly adopted QC 1000, A Firm's System of
Quality Control, would require only some firms to have an EQCF; the
commenter stated that this could cause confusion among stakeholders who
do not understand the difference in requirements for an EQCF between
firms. Another recommended clarifying the Board's use of the term
``independent oversight function'' and qualifying the description of
such a function with the term ``brief.''
The Board has retained the requirement to disclose the QC roles,
including both the operational roles specified in paragraph.12 of QC
1000 and the EQCF roles. The duplication between these disclosure
requirements and the requirement to report these roles on Form QC was
intentional. While the Board ultimately concluded that Form QC as a
whole should be non-public, that did not represent a line-by-line
determination that every item to be reported on Form QC must be
confidential.\102\ Certain considerations that militated in favor of
the non-public nature of Form QC, including concerns that Form QC could
include information protected from publication by Sarbanes-Oxley, do
not apply to the disclosure of the individuals fulfilling these roles.
The Board believes that the QC system, and these roles within the QC
system, are sufficiently important to a firm's governance, and are
directly and importantly related to the firm's conduct of audits, to
warrant public disclosure of the QC roles. Moreover, the Board does not
believe the reporting of a small number of names is overly burdensome,
notwithstanding that firms have to report the names on Form QC (on a
non-public basis) and on Form 2 (on a public basis).\103\
---------------------------------------------------------------------------
\102\ See PCAOB Rel. 2024-005, at 265-270.
\103\ Consistent with the proposal, the Board has allowed
assertions of conflicts of laws with respect to these QC-specific
roles. The Board believes they differ from other reported names, for
which it is not allowing assertions of conflicts, because they may
not be as senior or otherwise publicly reported.
---------------------------------------------------------------------------
With respect to the comments regarding internal duplication with
Item 1.4, the Board acknowledges that the proposed requirement to
report the roles and responsibilities described in paragraph .11 of QC
1000 (individual assigned ultimate responsibility and accountability
for the QC system) was duplicative of the requirement to report the
principal executive officer (who would have ultimate responsibility and
accountability for the QC system). The Board therefore has struck the
specific reference to paragraph .11 in Item 1.4e (while retaining the
reference to paragraph .12 of QC 1000, which describes the QC
operational roles). Lastly, the Board has modified Item 1.4.f related
to the QC oversight function to conform to the language in paragraph
.28 of QC 1000, to clarify that the reporting obligation is meant to
capture the EQCF role as described in QC 1000.
The Board has added a note to the form including a reference to
paragraph .28 of QC 1000 (setting forth the EQCF requirement) and
clarifying that this disclosure applies both to firms required to have
such a role under QC 1000 and to firms that otherwise have a role that
meets the definition in Item 1.4.f. The reporting requirement will
permit sufficient narrative disclosure for a firm to provide context
regarding the nature of the firm's EQCF, including whether it has
created the role in response to QC 1000.28 or otherwise.
With respect to any difference in reporting periods between Form QC
and Form 2, Form 2 provides that information provided in Part I of the
form, which would include Item 1.4, should be current as of the date of
the certification of Form 2. Firms should abide by that instruction.
Any disparity between information reported on Form 2 and on Form QC
with respect to operational roles due to differing reporting periods
should not cause confusion for users of Form 2 given the non-public
nature of Form QC.
Finally, the Board proposed that the names of the individuals
occupying QC roles be subject to assertions of a conflict of laws by
foreign registered firms. The Board continues to think the names of
these individuals are distinguishable from other names called for by
this section insofar as they may not already be public in connection
with these roles and could foreseeably be subject to a non-U.S law
prohibiting the disclosure of personal data. Therefore, the Board has
adopted provisions to permit assertions of conflicts of laws as
proposed.
Other Comments
One commenter recommended that the Board, to the extent it includes
the proposed items on an amended form, provide text boxes for each
response with at least 2000 characters to allow firms to provide any
necessary explanation and context for the information disclosed. The
Board does not think each subpart of Item 1.4, such as those calling
for a name or names, would merit 2000 characters. However, for those
items that ask for a description, namely Items 1.4d and 1.4f, the Board
agrees a more extended character count is warranted.
Other commenters recommended further study or reconsidering the
necessity of the governance reporting and assessing whether the
proposed information would directly contribute to audit quality. The
Board believes its experience and the notice and comment process have
provided an appropriate opportunity to consider the merits of the
proposal and, further, that the Board and others will be in a better
position to assess the effects of the reporting requirements after the
reporting is implemented.
Network Information
The Annual Report Form currently requires firms to identify whether
they are a part of certain networks, arrangements, alliances,
partnerships, or associations and, if so, to identify them and provide
a description of those relationships.\104\ In conceiving this reporting
requirement, the Board noted that it intended to identify arrangements
that ``afford[ ] the firm access to resources for use in issuer audits,
including procedures, manuals, or personnel.'' \105\ The Board
continues to believe that reporting regarding network arrangements that
affect the resources, financial or otherwise, available to firms in the
performance of audits is important to investors, audit committees, and
others in their evaluations of audit firms and audit quality. However,
the current network-related requirement asks only for ``a
[[Page 96734]]
brief description of such relationship'' without specifying the content
of such a description. The Board believes that the benefits of this
reporting requirement would be enhanced by requiring greater
specificity in reporting on network arrangements.
---------------------------------------------------------------------------
\104\ See Form 2, Item 5.2.
\105\ See PCAOB Rel. No. 2008-004, at 10.
---------------------------------------------------------------------------
Network arrangements have provided members with benefits that
research has found may affect audit quality.\106\ As the largest four
accounting firms, which have network arrangements, still provide audits
to the majority of publicly held companies, it also follows that most
public company audits are conducted by firms with network affiliations.
Currently, while the PCAOB receives information regarding member firms
within a network, the Board does not require significant information
about how the network interacts with and supports member firms in the
conduct of audits.
---------------------------------------------------------------------------
\106\ See, e.g., Kenneth L. Bills, Lauren M. Cunningham, and
Linda A. Myers, Small Audit Firm Membership in Associations,
Networks, and Alliances: Implications for Audit Quality and Audit
Fees, 91 The Accounting Review 767 (2016) (finding that specialized
expertise, solutions to staffing and geographic limitations, and
technical trainings are among the benefits that contribute to
improved audits performed by smaller firms).
---------------------------------------------------------------------------
Accordingly, the Board proposed to amend Form 2, Item 5.2 to
require a more detailed description of the network arrangement,
including describing the legal and ownership structure of the network,
network-related financial arrangements of the registered firm (e.g.,
loans and funding arrangements to or from the network member firm),
information-sharing arrangements between the registered firm and the
network (including both sharing of such information as training
materials, audit methodologies, etc. and sharing of audit client
information), and network governing boards or individuals to which the
registered firm may be accountable. The Board notes it would expect
firms to indicate specifically whether they have outstanding loan and/
or funding arrangements with their networks, in addition to noting
whether such arrangements are permissible under their network
arrangements.
General Comments
Some commenters supported the expanded network-related requirement
generally. Other commenters opposed the network-related requirement.
Some commenters questioned the usefulness of the proposed network
requirements, including stating the following:
<bullet> It is unclear how the PCAOB would use the information.
<bullet> The PCAOB already has access to network-related
information.
<bullet> It is unclear how this information would inform
stakeholder decision-making.
<bullet> The network information may be misused or misinterpreted
and could cause confusion.
<bullet> It is unclear how users could form conclusions about
quality from the information to be provided.
<bullet> An individual member firm may not be privy to all network
information that the PCAOB proposes to obtain.
Some commenters expressed concerns that certain information called
for by the proposed requirement was too sensitive and subject to
misinterpretation for public disclosure:
<bullet> Commenters stated that certain information, including
network financial arrangements and legal structures, is confidential,
proprietary, or sensitive and registered firms are not necessarily
permitted to share such information, and/or the required disclosures
are contrary to the Board's obligations under Sarbanes-Oxley. A number
of firms stated the information should be collected only
confidentially.
<bullet> A commenter stated its strong opposition to the network-
related financial obligations of the registered firm or the governing
boards or individuals to which the registered entity may be
accountable, noting that such information is likely to be complex and
potentially subject to misinterpretation without sufficient context.
This commenter also stated this information may raise legal and
financial risks for firms, threatening audit quality; for example,
information regarding ordinary course financial arrangements has a risk
of misinterpretation without sufficient context, including a
misinterpretation that a firm is at risk of failure.
<bullet> A commenter stated the legal and ownership structure,
network-related financial obligations, and how audit client information
may be shared are complex matters that should be confidential, risk
being misunderstood by stakeholders who do not have the benefit of two-
way dialogue with the firm, and are better suited to the inspection
process. This commenter also noted the complex and varying nature of
network arrangements and that the disclosures could lead to unintended
legal and financial consequences. Finally, the commenter questioned
whether users of Form 2 will draw inferences about audit quality based
only on the firm's membership in a network.
<bullet> One commenter stated that disclosure of funding or loan
arrangements may have the unintended consequence of causing a
misinformed loss of confidence in a member firm. Another firm stated
the network disclosures could put some firms at a competitive
disadvantage.
A commenter stated that the proposed requirement wrongly focuses on
financial strength and suggested revising the requirement to focus on
audit methodology, staff training, and quality control, including the
following:
<bullet> Whether the network has a common audit methodology that is
used by all member firms.
<bullet> Whether auditors throughout the network receive the same
or similar training.
<bullet> Whether the network establishes minimum quality control
policies and procedures that are implemented by each member firm.
<bullet> Whether the network conducts periodic inspections of its
member firms and, if so, the frequency of those inspections and the
extent to which the results of inspections are disseminated throughout
the network.
<bullet> How the information about each member firm's clients is
communicated across the network to facilitate compliance with the
independence rules.
A commenter, while opposing the overall requirement, stated that
certain elements seem more likely to be relevant to stakeholders and
would be less costly to produce, including high-level information about
the legal and ownership structure of the network and information-
sharing arrangements between the registered firm and the network. One
commenter stated that proposed disclosures related to network-related
financial obligations and information-sharing arrangements between the
registered firm and the network are ambiguous and do not include
quantitative or qualitative limiting factors, and are not subject to a
materiality threshold, thus potentially requiring firms to disclose
even nominal arrangements within a network. This commenter stated that
the Board expand the amount of space for firms to provide disclosure
about the networks on Form 2 to allow more complete descriptions, but
remove (or afford both a materiality threshold for, and a
confidentiality protection to) the proposed specific requirements that
may expose financial or other confidential or competitive business
information.
Some commenters questioned whether the Board's comparability
objective would be achieved by the proposed requirements, with one
commenter stating that the network-related requirements would not
provide comparability benefits, given the wide variety in network
structures among
[[Page 96735]]
PCAOB registered firms, and that without sufficient and appropriate
context to fully understand this type of information, it would not be
decision-useful information for third parties.
The Board continues to believe, as discussed more fully in the
proposal, that it is important for investors and audit committees to
have access to comparable information regarding the resources a
registered firm may have to conduct audit engagements and in connection
with other aspects of its audit practice, such as training resources.
To the extent that network arrangements may affect access to such
resources, enhanced reporting regarding these aspects of a network
arrangement would inform stakeholders' evaluation of the registered
firm and its audit practice. Requiring greater specificity with respect
to network information should reduce the likelihood of boilerplate
disclosures and increase the usefulness to all stakeholders. The Board
also continues to believe that requiring this information through a
reporting requirement would increase the standardization, and therefore
comparability, of information collected, which would benefit all users
of this information.
Further, the Board continues to believe enhanced network reporting
would inform the PCAOB's regulatory function. It would provide a
baseline understanding of how the network arrangement influences the
firm's governance and accountability, including oversight of its audit
practice, and access to resources. Having this information available to
the Board via reporting will inform the Board's scoping and planning of
inspections.
In consideration of comments, however, the Board has modified the
requirement to focus on the registered entity and the aspects of its
relationship with the network that it believes most directly relate to
the conduct of audits. Accordingly, instead of asking for the legal and
ownership structure of the network, network-related financial
obligations of the registered firm, information-sharing arrangements
between the registered firm and the network, and network governing
boards or individuals to which the registered entity may be
accountable, the final amendments ask the firm to provide a brief
description of the network relationship, i.e., describing at a high
level the network structure and the relationship of the registered firm
to the network, including whether the registered firm has access to
resources such as firm methodologies and training, whether the firm
shares information with the network regarding its audits, whether the
firm is subject to inspection by the network, and any other information
the registered entity considers relevant to understanding how the
network relationship relates to its conduct of audits.
The Board believes these modifications should simplify the
requirement. They should also eliminate or sufficiently mitigate risks
identified by commenters, especially those associated with financial
obligations, and focus the requirement on aspects of the network
relationship most likely to influence the firm's conduct of audits. The
Board further believes these modifications clarify that the requirement
is not intended to elicit proprietary, sensitive, or confidential
information. Rather the requirement is intended to increase the
availability and the standardization of information that many firms in
networks already provide. The Board notes further that the firm is free
to provide whatever information it believes is necessary to
contextualize the required information. In this regard, the Board
acknowledges that the narrative disclosure required will not achieve
perfect standardization or comparability. Nevertheless, compared to
voluntary disclosure, where some firms do not provide such information
and the firms that do provide network information are free from any
parameters for disclosure, the Board believes that the required
reporting should provide greater standardization and comparability than
is currently available.
Comments on Interpretation
A commenter stated that it is not clear what is meant by the word
``accountable'' in Item 5.2.b's requirement to disclose ``network
governing boards or individuals to which the registered entity may be
accountable.'' A commenter stated that consistent with guidance in the
final release on Form AP, the PCAOB should also clarify that by
``network'' arrangements, the proposal is not referring to subsidiaries
of the registered firm, other entities controlled by the registered
firm issuing the audit report, or other non-accounting firm affiliates
(e.g., related entities with the registered firm that provide tax,
valuation, or other assistance to the registered firm as part of the
audit) whose work on audits would be supervised by and recorded in the
working papers of the registered firm. A commenter encouraged the Board
to further define the existing terms and how the Board expects firms to
report the information. One commenter requested clarity around what is
meant by requesting the `ownership structure of the network.'
In consideration of comments, the Board notes that Form 2 currently
requires firms to state whether the firm has any:
1. Membership or affiliation in or with any network, arrangement,
alliance, partnership or association that licenses or authorizes audit
procedures or manuals or related materials, or the use of a name in
connection with the provision of audit services or accounting services;
2. Membership or affiliation in or with any network, arrangement,
alliance, partnership or association that markets or sells audit
services or through which joint audits are conducted; or
3. Arrangement, whether by contract or otherwise, with another
entity through or from which the Firm employs or leases personnel to
perform audit services.
The network reporting requirement, currently and under the final
amendments, applies if the firm answers affirmatively in response to
any of the described arrangements. The Board believes that these
descriptions of what constitutes a network or other relationship are
sufficiently specific. The Board is not aware that interpretive
difficulties related to these provisions have arisen previously.
Moreover, because of the modified requirement, which no longer contains
terms commenters requested clarity on, the Board does not believe that
further clarification is warranted.
Comments on Authority
Commenters stated that the network is not registered and requiring
reporting regarding non-registered entities may be beyond the scope of
the PCAOB's authority. The Board continues to believe that
[…truncated; see source link]Indexed from Federal Register on December 5, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.