89 FR 234 pgs. 96712-96787 - Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on Firm Reporting
Type: NOTICEVolume: 89Number: 234Pages: 96712 - 96787
Pages: 96712, 96713, 96714, 96715, 96716, 96717, 96718, 96719, 96720, 96721, 96722, 96723, 96724, 96725, 96726, 96727, 96728, 96729, 96730, 96731, 96732, 96733, 96734, 96735, 96736, 96737, 96738, 96739, 96740, 96741, 96742, 96743, 96744, 96745, 96746, 96747, 96748, 96749, 96750, 96751, 96752, 96753, 96754, 96755, 96756, 96757, 96758, 96759, 96760, 96761, 96762, 96763, 96764, 96765, 96766, 96767, 96768, 96769, 96770, 96771, 96772, 96773, 96774, 96775, 96776, 9677796778, 96779, 96780, 96781, 96782, 96783, 96784, 96785, 96786, 96787, Docket number: [Release No. 34-101723; File No. PCAOB-2024-07]
FR document: [FR Doc. 2024-28148 Filed 12-4-24; 8:45 am]
Agency: Securities and Exchange Commission
Official PDF Version: PDF Version
[top]
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-101723; File No. PCAOB-2024-07]
Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on Firm Reporting
November 25, 2024.
Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley" or the "Act"), notice is hereby given that on November 22, 2024, the Public Company Accounting Oversight Board (the "Board" or the "PCAOB") filed with the Securities and Exchange Commission (the "Commission") the proposed rules described in items I and II below, which items have been prepared by the Board. The Commission is publishing this notice to solicit comments on the proposed rules from interested persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On November 21, 2024, the Board adopted amendments to its annual and special reporting requirements for audit firms (collectively, the "proposed rules"). The text of the proposed rules is set out below. The text of the proposed rules appears in Exhibit A to the SEC Filing Form 19b-4 and is available on the Board's website at Docket 055 | PCAOB ( pcaobus.org ) and at the Commission's Public Reference Room.
II. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules
In its filing with the Commission, the Board included statements concerning the purpose of, and basis for, the proposed rules and discussed any comments it received on the proposed rules. The text of these statements may be examined at the places specified in Item IV below. The Board has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. In addition, the Board has requested that the Commission approve the proposed rules, pursuant to Section 103(a)(3)(C) of the Act, for application to audits of emerging growth companies ("EGCs"), as that term is defined in Section 3(a)(80) of the Securities Exchange Act of 1934 ("Exchange Act"). The Board's request is set forth in section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules
(a) Purpose
The Board has adopted amendments to its annual and special reporting requirements to mandate the disclosure of more complete, standardized, and timely information by registered public accounting firms. The changes include enhanced reporting of firm financial, governance, and network information; expanded special reporting; and cybersecurity reporting, among other topics. After notice and comment, the Board believes that the final amendments are necessary or appropriate in the public interest or for the protection of investors and would enhance firm transparency and improve the PCAOB's oversight of audit firms.
As the Board has previously observed, robust disclosure is the cornerstone of the U.S. federal securities regulatory regime and is essential to efficient capital formation and allocation. 1 Access to meaningful information about a public company allows investors to make informed judgments about the company's financial position and the stewardship exercised by the company's directors and management. With the passage of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley"), Congress acknowledged and re-emphasized the auditor's important gatekeeping role within the public company reporting framework and required PCAOB-registered firms to submit public annual reports to the Board. 2 Sarbanes-Oxley also provides that firms may be required to report more frequently and authorizes the Board to require "such other information as the rules of the Board or the Commission shall specify as necessary or appropriate in the public interest or for the protection of investors."? 3
Footnotes:
1 ? See Improving the Transparency of Audits: Proposed Amendments to PCAOB Auditing Standards to Provide Disclosure in the Auditor's Report of Certain Participants in the Audit, PCAOB Rel. No. 2013-009, at 2 (Dec. 4, 2013).
2 ? See Section 101(a) of Sarbanes-Oxley, 15 U.S.C. 7211(a); Senate Report No. 107-205, at 5-6 (July 3, 2002).
3 ? See Sections 102(b)-(e) of Sarbanes-Oxley.
The Board has observed an increase in voluntary audit firm transparency reporting, potentially reflecting market demand for more information regarding firms to support informed decision-making by market participants. The Board has also observed other jurisdictions implementing audit firm reporting initiatives. Indeed, investors and investor-related groups have long sought more transparency about firms, asserting that additional data and information would help investors make informed decisions about investing their capital, ratifying the selection of auditors, and voting for members of the board of directors, including directors who serve on the audit committee. 4 Investor and investor-related group comments on this rulemaking evidence their continuing support for enhanced transparency.
Footnotes:
4 ? See, e.g., Comment No. 4 from Members of the Investor Advisory Group ("IAG") (Jan. 13, 2023), Rulemaking Docket 046: Quality Control, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/4_iag.pdf?sfvrsn=1941e7c0_4; Comment No. 5 from the Council of Institutional Investors (Jan. 19, 2023), Rulemaking Docket 046: Quality Control, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/5_cii.pdf?sfvrsn=69b3e6bd_4; Center for Audit Quality ("CAQ"), Audit Quality Disclosure Framework (Jan. 2019), available at caq_audit_quality_disclosure_framework_2019-01.pdf ( thecaq.org ); PCAOB Investor Advisory Group Meeting (Oct. 27, 2016), available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting_1052.
Prior to this rulemaking, the basic framework for the PCAOB's annual and special reporting requirements, however, had not been substantively reevaluated since its adoption in 2008. 5 The Board has considered the reporting requirements established in 2008, the staff's experience with those requirements, concerns raised by investors regarding a lack of audit firm transparency, and comments received in connection with this rulemaking. The Board believes that improvements to the reporting requirements should be made to facilitate more public disclosure about aspects of registered firms' operations that could impact firms' ability to conduct quality audits, and that such disclosure will be informative and useful to investors, audit committees, and other stakeholders? 6 when evaluating audit firms and the audits of public companies. The Board further believes that the reporting requirements it has adopted will enhance investor confidence in public company audits and, therefore, in financial reporting.
Footnotes:
5 ?The PCAOB amended its rules and form in 2013 to conform to the Dodd-Frank Wall Street Reform and Consumer Protection Act as it relates to the Board's oversight of audits of broker-dealers. See Amendments to Conform the Board's Rules and Forms to the Dodd-Frank Act and Make Certain Updates and Clarifications, PCAOB Rel. No. 2013-010 (Dec. 4, 2013).
6 ?Throughout the release the Board often refers to investors and audit committees as the principal users of the public reporting. This does not foreclose use by other stakeholders.
[top] In addition to transparency benefits, enhanced reporting requirements will facilitate the PCAOB's regulatory functions, and thus, better inform the
Although the PCAOB may request information from firms from time to time as part of its regulatory activities, requiring the regular periodic and special reporting of certain information will standardize the provision of the information and enhance its comparability and timeliness, supporting the PCAOB's regulatory functions and therefore supporting investor protection.
The Board has considered comments raising concerns that the reported information may not be useful or may be misunderstood by investors and other stakeholders. As an initial matter, investors and investor-related groups have consistently called for greater audit firm transparency, including in comments in connection with this rulemaking, and stated that these types of reporting requirements will inform their decision-making. In addition, the Board notes that similar objections regarding the benefit of disclosure were raised in connection with recent past rulemakings requiring additional information about audits and auditors to be made public, namely Form AP reporting of the name of the engagement partner and information about other firms participating in the audit, and auditor communication of critical audit matters (CAMs). In both those cases, the Board has observed that the new information is sought after. The Form AP data set is now one of the most frequently visited areas of the Board's website. 7 As for CAMs, in a recent investor survey conducted by a firm-related group, over 90% of the respondents indicated that CAMs play an important role in their investment decision-making. 8 The Board's experience suggests that additional information about auditors and audit engagements is accessed and relied upon by the Board's stakeholders when it is available. Moreover, the PCAOB has continued to find both anticipated and new uses for reported information.
Footnotes:
7 ?In 2023, there were over 333,000 unique searches performed on AuditorSearch and the Form AP dataset was downloaded over 2,000 times. Information related to usage statistics can be found on the PCAOB's website ( https://pcaobus.org/resources/auditorsearch ).
8 ?The Center for Audit Quality Critical Audit Matters Survey (July 2024) at 9.
Finally, when the Board proposed these requirements, the Board strove to craft targeted amendments to existing reporting requirements to support its transparency and regulatory objectives. In formulating the final amendments, the Board has given careful consideration to the comments received to further refine the amendments to best achieve the objectives of this rulemaking. In particular, the Board has tailored the requirements to focus on specific disclosures that should be most useful to PCAOB staff in its oversight of audit firms and to investors, audit committees, and others in their decision-making and evaluation of audit firms.
Final Amendments
The final amendments will revise the annual and special reporting framework in the following ways:
• Revise the annual reporting form ("Form 2" or the "Annual Report Form") to require more information regarding a firm's network arrangements; leadership and governance structure; and fees collected, and implement a new requirement for the largest accounting firms to confidentially submit financial statements to the PCAOB in a specified manner.
• Revise the special reporting form ("Form 3" or the "Special Reporting Form") to expand the scope of special reporting for a subset of firms to include (on a confidential basis) events that pose a material risk, or represent a material change, to the firm's organization, operations, liquidity or financial resources, in such a manner that they will affect the provision of audit services ("material event reporting"); and to require material event reporting within 14 days or more promptly as warranted;
• Implement new cybersecurity reporting requirements, including reporting of significant cybersecurity incidents within five business days on a confidential basis and public reporting of a brief description of a firm's policies and procedures, if any, to identify, assess, and manage cybersecurity risks; and
• Implement a new form ("Update to the Statement of Applicant's Quality Control Policies and Procedures" or "Form QCPP") to capture updates to a firm's quality control policies currently provided in a firm's application for registration (Form 1).
Key Changes From the Proposal
In consideration of comments received, the Board has modified the final amendments in certain respects, including the following changes:
• Fee Reporting: The Board streamlined the fee disclosure requirements to reduce disaggregation as compared to the proposal. The final amendments will require that firms report the existing fee disclosure categories in actual amounts (as opposed to percentages), plus broker-dealer fees, and total fees for all clients. These changes are to clarify, reduce burden, and focus the requirement on information that provides insight into a firm's audit practice.
• Financial Statements: The Board adopted the requirement for the largest firms to provide financial statements to the PCAOB confidentially, but has eliminated the requirement to prepare them in accordance with an applicable financial reporting framework. Instead, the Board has prescribed certain minimum requirements for the financial statements. This change is to mitigate the costs of this requirement for firms while still ensuring the reporting requirement results in improved standardization to improve the Board's insight into a firm's practice, focus, and incentives, and inform the PCAOB's oversight of registered firms.
• Governance and Network Reporting: The Board has adopted the requirements related to firm governance and network arrangements with modifications to streamline the requirements, increase clarity, and further focus requirements on the registered entity's audit practice.
[top] • Special Reporting: The Board has not adopted the proposal to accelerate the Form 3 reporting deadline, except that material event reporting and cybersecurity incident reporting are required to be reported under the proposed accelerated timeframes. This change is intended to ease the burden, particularly for smaller firms, while still requiring timely reporting of events of sufficient significance and urgency to warrant more prompt reporting. The Board has adopted the material event reporting requirement with modifications to clarify, ease implementation, and better focus the requirement on information relevant to a firm's audit practice. In addition, the Board has limited the firms subject to the material event reporting requirement to those that are annually inspected, i.e., firms that provide audit opinions for more than 100 issuers annually.
• Cybersecurity Incident Reporting: The Board has adopted the proposed requirements with modifications to language for clarity and to better link disclosures to the firm's audit practice.
Effective Date
For annual and special reporting requirements, the Board has adopted phased implementation to give smaller firms more time to develop and test the necessary tools to comply with the requirements. For the first phase, the final amendments will become effective as of March 31, 2027, or two years after approval of the requirements by the U.S. Securities and Exchange Commission (SEC), whichever occurs later. The first phase applies to the largest firms as defined in new rule 4013. For the second phase, the final amendments will become effective one year after the first. The second phase applies to all other firms subject to the reporting requirements.
For Form QCPP, the Board has aligned the effective date for Form QCPP with the effective date for QC 1000. Thus, the final amendments will become effective December 15, 2025 and the deadline for filing is 30 days thereafter on January 14, 2026.
This release provides background on the Board's rulemaking project, discusses comments received, and includes an economic analysis that further considers the need for rulemaking and the anticipated economic impacts of the Board's approach. Appendix 1 sets forth the text of the form modifications, a new form, and rule amendments.
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From Members, Participants or Others
The Board released the proposed rule amendments for public comment in PCAOB Release No. 2024-003 (April 9, 2024). The Board received 36 written comment letters. The Board has carefully considered all comments received. The Board's response to the comments it received and the changes made to the rules in response to the comments received are discussed below.
Background and Key Considerations
Current Reporting Framework
Section 102(d) of Sarbanes-Oxley provides that each registered public accounting firm shall submit an annual report to the Board and may also be required to report more frequently "such additional information as the Board or the Commission may specify."? 9 In 2008, the Board adopted rules and forms to govern and facilitate annual reporting of certain information and to require, govern, and facilitate special reporting of certain other information if specified events occur. 10
Footnotes:
9 ?Section 102(d) of Sarbanes-Oxley provides:
Each registered public accounting firm shall submit an annual report to the Board, and may be required to report more frequently, as necessary to update the information contained in its application for registration under this section, and to provide to the Board such additional information as the Board or the Commission may specify, in accordance with subsection (b)(2).
10 ?See Rules on Periodic Reporting by Registered Public Accounting Firms, PCAOB Rel. No. 2008-004 (June 10, 2008).
The Board specified that the reporting requirements were intended to serve three fundamental purposes. First, firms were required to report information to keep the PCAOB's records current about such basic matters as the firm's name, location, contact information, and licenses. Second, firms were required to report information reflecting the extent and nature of the firm's audit practice to facilitate analysis and planning related to the PCAOB's inspection responsibilities, to inform other PCAOB functions, and to provide potentially valuable information to the public. Third, firms were required to report circumstances or events that could merit follow-up through the PCAOB's inspection or enforcement processes, and that may otherwise warrant being brought to the public's attention (such as a firm's withdrawal of an audit report in circumstances where the information is not otherwise publicly available). 11
Footnotes:
11 ? See id. at 6.
The current reporting framework includes two types of reporting obligations. First, it requires each registered firm to provide basic information once a year about the firm and the firm's audit practice over the most recent 12-month period. The firm must do so by filing an annual report on Form 2. Second, upon the occurrence of specified events, a firm must report certain information by filing a special report on Form 3. The Board has not substantively revisited the annual and periodic reporting framework set forth on Forms 2 and 3 since their adoption in 2008.
At the time, the Board noted that, by adopting these requirements, it did "not mean to suggest that the information encompassed by these rules is the only information that the Board will require firms to report under Section 102(d) of the [Sarbanes-Oxley] Act." To the contrary, the Board noted that it "may identify other useful requirements by, for example, monitoring public discussion of relevant issues or considering disclosure requirements in other auditor regulatory regimes," specifically citing the work of the Department of the Treasury's Advisory Committee on the Auditing Profession (ACAP) as a potential area of interest. 12
Footnotes:
12 ? See id. at 4-5.
In 2008, the Board adopted Form 4, Succeeding to Registration Status of Predecessor, which permits a registered public accounting firm's registration status to continue with an entity that survives a merger or other change in the firm's legal form. 13 Also, in 2015, the Board adopted rules to require registered firms to file Form AP to disclose the names of engagement partners and certain information about other accounting firms that participated in their audits of public companies. 14 Form AP requires information specific to particular audit engagements, rather than information that is firmwide and operational in nature.
Footnotes:
13 ? See Rules on Succeeding to the Registration Status of a Predecessor Firm, PCAOB Release No. 2008-005 (July 29, 2008).
14 ? See Improving the Transparency of Audits: Rules to Require Disclosure of Certain Audit Participants on a New PCAOB Form and Related Amendments to Auditing Standards, PCAOB Release No. 2015-008 (Dec. 15, 2015).
In addition, in May 2024, the Board adopted new requirements (QC 1000, A Firm's System of Quality Control ) for an audit firm's system of quality control (QC) that included, among other things, the requirement that a firm report to the Board annually the outcome of the evaluation of the firm's QC system with respect to any period during which the firm was required to implement and operate the QC system. 15 QC 1000 was approved by the SEC in September 2024.
Footnotes:
15 ?See A Firm's System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 2024-005 (May 13, 2024).
[top] Finally, in Firm and Engagement Metrics, the Board has concurrently adopted public reporting of standardized firm- and engagement-level metrics regarding a firm's audit work and audit practice. In particular, the Board has adopted metrics in the following areas: partner and management involvement; workload; training hours for audit personnel;
Developments Since the Implementation of the Current Framework
The Board has considered various developments since the adoption of the current annual and special reporting framework, including the following:
• The staff's experience with the current reporting framework;
• The issuance, and the staff's continued assessment, of the ACAP Final Report to the Department of the Treasury ("ACAP Final Report"), including (1) recommendations for the PCAOB to enhance firm reporting and monitoring and (2) its emphasis on the risk that the failure of a large audit firm could have disruptive effects on the ability of firms to conduct quality audits and on the audit market;
• Audit firm transparency initiatives in other jurisdictions, including certain mandatory reporting requirements, the development of voluntary transparency reporting in the United States, 16 and studies of the effects of enhanced transparency on audit quality and investor confidence;
Footnotes:
16 ? See, e.g., CAQ, Audit Quality Report Analysis: A Year in Review (Mar. 2023), available at https://www.thecaq.org/aqr-analysis-yir. In 2023, the CAQ published a summary analysis of the most recent audit quality reports issued by the eight firms represented on the CAQ's Governing Board. The CAQ report noted that some firms disclosed qualitative as well as quantitative information, including information relating to audit methodology and execution, people and firm culture, quality management and inspections, and technology and innovation.
• PCAOB outreach and activities regarding audit firm transparency;
• The growing risk to audit firms from cyberattacks and cyberbreaches and the increase of such incidents at audit firms;? 17 and
Footnotes:
17 ? See Gary Salman, The rise of cybercrime in the accounting profession continues, Accounting Today Online (Aug. 24, 2020); see also Maggie Miller, FBI sees spike in cyber crime reports during coronavirus pandemic, The Hill (Apr. 16, 2020); see also Karen Nakamura, Cybersecurity risk: Constant vigilance required, Journal of Accountancy (Sept. 1, 2022). See also Department of Homeland Security, Cyber Safety Review Board to Conduct Second Review on Lapsus$ (Dec. 2, 2022), available at https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus; Tim Starks, The Latest Mass Ransomware Attack Has Been Unfolding For Nearly Two Months, Washington Post (Mar. 27, 2023).
• The comments submitted to the PCAOB on the Firm Reporting proposal.
1. Staff Experience With the Current Framework
The staff has at times received important information from registered firms on a voluntary ad hoc basis rather than pursuant to required reporting or through any formal mechanism. Examples of such ad hoc reporting include changes in leadership, reductions in workforce, pending merger transactions, and cybersecurity incidents. In addition, the staff routinely requests certain information from firms, including business and financial metrics, to inform inspection planning and scoping that may be more efficiently collected in a standardized form via periodic or special reporting. Finally, the staff has at times found voluntarily and mandatorily reported information to be incomplete, inaccurate, or insufficiently detailed. For example, the staff has at times found fee information reported on the Annual Report Form insufficiently specific, inconsistently reported from year-to-year with respect to methodology, or not reported in accordance with form instructions, which has inhibited the degree to which the information can effectively inform the PCAOB's statutory oversight function.
2. ACAP Final Report
In October 2008, after the Board's adoption of Forms 2 and 3, the ACAP-a committee of business leaders, investors, former SEC staff members, and accounting professionals that had studied the auditing profession for one year-issued the ACAP Final Report with recommendations for the SEC, PCAOB, and auditing profession. In presenting the ACAP Final Report, the ACAP co-chairs contended that "[t]he major auditing firms are key actors in the public securities markets" and "must comply with the same principles of transparency that the Board asks of other major market actors, both for the sake of the credibility of the market system as a whole, and for the credibility and long-term health of the firms themselves."? 18
Footnotes:
18 ?ACAP Final Report at II:6.
The ACAP Final Report included the following recommendations, among others, for the PCAOB:
• Monitor potential sources of catastrophic risk which would threaten audit quality; and
• Create a requirement for larger auditing firms to produce a public annual report including, among other things, information required by the European Union's transparency report, and to file on a confidential basis with the PCAOB audited financial statements. 19
Footnotes:
19 ? Id. at VII:20, VIII:10. The ACAP Final Report included recommendations in three areas: (i) concentration and competition, (ii) firm structure and finance, and (iii) human capital. The two bulleted recommendations come from areas (i) and (ii). The Board has addressed other ACAP recommendations by, for example, adopting Form AP which is in part responsive to an ACAP recommendation that the PCAOB undertake a standard-setting initiative to consider mandating the engagement partner's signature on the auditor's report.
In making these recommendations, the ACAP noted that the PCAOB was "uniquely qualified to monitor the firms" and that monitoring for disruptions to the market that could threaten audit quality was consistent with the PCAOB's mission and mandate. 20 Within the report, Treasury Secretary Henry Paulson noted the importance of striking a balance between investor protection and market competitiveness, while the ACAP co-chairs highlighted a related goal of reducing the barriers for smaller firms to enter the public company audit market. 21 This release and the pursuant economic analysis consider these overarching principles in connection with these requirements.
Footnotes:
20 ? Id. at VII:24, VIII:11.
21 ? Id. at D:3, II:5.
The Board agrees that its mandate extends to monitoring firms and the audit market for disruptions, including those related to firm viability, staffing, or potential legal liabilities. 22 For example, in the event of a solvency-threatening event at an audit firm, the Board would need adequate information to assess whether that failure may have a disproportionate impact on a particular sector and the extent to which other audit firms are positioned to absorb the threatened firm's companies under audit. 23 The Board would also need adequate information to respond to inquiries from its oversight authorities, the SEC and Congress, to share pertinent information with other regulators as appropriate, and to consider appropriate guidance regarding transitioning audit clients.
Footnotes:
22 ? See Section 101(c)(5) of Sarbanes-Oxley, which provides, in addition to performing core functions such as registrations and inspections, the Board's duties extend to "perform[ing] such other duties or functions as the Board (or the Commission, by rule or order) determines are necessary or appropriate to promote high professional standards among, and improve the quality of audit services offered by, registered public accounting firms and associated persons thereof, or otherwise to carry out this Act, in order to protect investors, or to further the public interest."
23 ?For the purposes of this standard, the phrase "issuer under audit" or "company under audit" has the same meaning as "audit client" under PCAOB Rule 3501(a)(iv).
[top] Some comment letters on the proposal supported the PCAOB's efforts to fulfill the "long overdue" ACAP recommendation to require audit firms to uniformly disclose certain information about their organization
As explained throughout this release, the Board believes that the adopted amendments will ultimately enhance investor protection and improve audit quality while not unduly burdening firms. In addition, the Board discusses the ACAP Final Report as appropriate context for it to consider in the course of this rulemaking, not as binding on the Board nor as conferring any authority on the Board.
3. Transparency Reporting Developments
Currently, in certain other jurisdictions, audit firms disclose governance and other information according to legal and regulatory frameworks, including those imposed by authorities in the European Union, the United Kingdom, Japan, and Canada. For example, the European Union's transparency report requires a description of the legal structure and ownership of the audit firm, network-related information, a description of the governance structure of the audit firm, information concerning the basis for the partners' remuneration, and information regarding revenue, including disaggregation of revenue from audit and non-audit services. 24
Footnotes:
24 ?See Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC Text with EEA relevance at Article 13, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014R0537.
In 2021, the International Forum of Independent Audit Regulators (IFIAR) published a report analyzing developments in the audit market, including developments in transparency reporting. 25 Discussing a survey of IFIAR members, the report noted that, of 50 respondents, 36 had adopted transparency reporting by audit firms and, of those 36, 27 had done so on a mandatory basis. 26 The report further observed that, while transparency reporting may vary from jurisdiction to jurisdiction, transparency reports generally include "information related to governance and commitments of each firm including but not limited to legal/governance structure; relationships with an audit firm network; quality control system and outcomes; tone at the top; development of qualified professionals; financials; and responses to relevant regulations."? 27
Footnotes:
25 ? See IFIAR, Internationally Relevant Developments in Audit Markets (July 20, 2021), available at https://www.ifiar.org/?wpdmdl=13063.
26 ? See id. at 24.
27 ? See id. at 23-24 (footnote omitted).
Recent academic studies support these initiatives, having found that audit firms subject to transparency regulations display improvement in audit quality, and transparency is associated with improved investor confidence, 28 as discussed more fully in the release's economic analysis.
Footnotes:
28 ? See, e.g., Shireenjit K Johl, Mohammad Badrul Muttakin, Dessalegn Getie Mihret, Samuel Cheung, and Nathan Gioffre, Audit firm transparency disclosures and audit quality, 25 International Journal of Auditing 508 (2021); Fabio La Rosa, Carlo Caserio, and Francesca Bernini, Corporate Governance of Audit Firms: Assessing the usefulness of transparency reports in a Europe-wide Analysis, 27 Corporate Governance: An International Review 14 (2018).
Many firms also voluntarily disclose governance and other information in transparency reports. For example, one audit quality disclosure framework published in 2023 seeks to support those firms' efforts with a disclosure framework "to assist firms in their ongoing efforts to determine, assess, and communicate information that may be useful to stakeholders in understanding how audit quality is supported and monitored at the firm level."? 29 Among other things, the model disclosure framework emphasizes governance disclosures, noting that "organizational structure and composition of a firm's governing body, leadership team, internal committees, professional practice group ( e.g., national office or similar body), audit quality networks, and partnerships/alliances (for example) give insight into who is responsible for oversight of audit quality initiatives."? 30
Footnotes:
29 ? See CAQ, Audit Quality Disclosure Framework (Update) (June 2023), available at https://thecaqprod.wpenginepowered.com/wp-content/uploads/2023/06/caq_audit-quality-disclosure-framework-update_2023-06.pdf.
30 ? See id.
As another example, in 2015, after yearslong public engagement and study, the International Organization of Securities Commissions (IOSCO) published a report. 31 In connection with this consultation, IOSCO observed that "[m]ost investors, audit oversight bodies, and banking and securities regulators expressed views that increased transparency reporting should be an obligation of audit firms and that such reporting could have direct or indirect benefits, including a favorable impact on audit quality."? 32 IOSCO further noted that "user/investor groups and auditor oversight bodies and regulators expressed support for the full range of transparency reporting discussed in the Consultation Paper," which included information related to audit firm governance, audit firm financial statements, and audit quality indicators. 33 Respondents from the audit profession, the report notes, "broadly supported transparency reporting related to audit firm organization and governance, to make the structure of the firm more transparent to stakeholders, but had mixed views on transparency reporting of audit firm operational metrics and performance statistics that might serve as audit quality indicators, especially with respect to public reporting of such information."? 34
Footnotes:
31 ? See IOSCO, Transparency of Firms that Audit Public Companies Final Report (Nov. 2015), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD511.pdf.
32 ?See IOSCO, Comments Received in response to Consultation Reports on Issues Pertaining to the Audit of Publicly Listed Companies (2010), at 12, available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD337.pdf.
33 ? See id. at 12-14.
34 ? See id. at 13.
In issuing its report, IOSCO observed that "in comparing audit firms competing for an audit engagement, audit firm transparency reporting can aid those responsible for selecting a public company's auditor in their decision making process by providing information on a firm's audit quality," and that "[t]ransparency reporting can foster internal introspection and discipline within audit firms and may encourage audit firms to sharpen their focus on audit quality, which would also be of benefit to investors and other stakeholders."? 35 The report contended that an audit firm transparency report could be considered of high quality if the information in the report included, among other elements, information about the audit firm's legal and governance structure. 36
Footnotes:
35 ? See IOSCO, Transparency of Firms (2015), at 1.
36 ? See id.
[top] Thus, there is substantial transparency reporting by audit firms, including but not limited to audit firm financial, governance, and network-related information, both in response to regulatory requirements and to market demands. Much of this reporting, moreover, provides information beyond what is currently required by the
Some commenters on the proposal acknowledged that transparency reports have not completely resolved the present opacity with respect to various aspects of audit firms and that the Board's proposed revisions would mitigate this lack of transparency. In contrast, some commenters stated that voluntary transparency reports already contain some of the information the Board has requested or that the PCAOB should more closely study such reports to pinpoint any duplicative disclosure requirements. The Board agrees that some firms already disclose some of the information in the final amendments in voluntary transparency reports. But the Board's analysis indicates such information is not consistent or comparable across firms or even year to year for the same firms. The Board continues to believe that voluntary transparency reporting has not sufficiently mitigated audit firm opacity, and that the final amendments will promote further transparency and enhance standardization and comparability of available information.
4. PCAOB Advisory Group Input
The PCAOB's June 2022 Investor Advisory Group (IAG) meeting included discussion of audit firm transparency, including support for reporting measures of audit quality and other outstanding ACAP recommendations. 37 For example, during an IAG discussion that was focused on the relationship between a firm's audit practice and the firm's overall business, an IAG member urged the PCAOB to revisit ACAP's recommendations and noted ACAP's emphasis on governance, leadership, and structure and business model. 38 Moreover, the IAG previously discussed the status of ACAP recommendations, including the recommendation for large firms to submit financial statements, which generated support from IAG members. 39 For example, discussing the importance of audit firms, an IAG member stated that "the investor community strongly believes that . . . it is only reasonable to expect some level of disclosure about the manner in which the firms are governed and about their financial strength and sustainability that is much greater than the information that's provided today."? 40 Members of the IAG submitted a comment letter to the Proposal, in which they expressed support for the Proposal's fulfillment of the 2008 ACAP recommendation and discussed how the proposal would allow investors to make more informed decisions and assist the PCAOB in exercising its oversight responsibilities.
Footnotes:
37 ? See PCAOB Investor Advisory Group Meeting (June 8, 2022), available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-2022.
38 ? See PCAOB Investor Advisory Group Meeting (June 8, 2022), Transcript, at 127:2; 152:18.
39 ? See PCAOB Investor Advisory Group Meeting (Oct. 27, 2016); see also Steven B. Harris, Board Member, PCAOB, Audit Industry Concentration and Potential Implications, address at the 2017 International Institute on Audit Regulation (Dec. 7, 2017), available at https://pcaobus.org/news-events/speeches/speech-detail/audit-industry-concentration-and-potential-implications_674. ("At this year's IAG meeting, members recommended by unanimous consent that the Big Four provide annual audited financial statements.").
40 ? See PCAOB Investor Advisory Group Meeting (Oct. 27, 2016) Meeting Transcript, at 179:16, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/news/events/documents/102716-iag-meeting/iag-meeting-transcript-10-27-16.pdf?sfvrsn=5cb1d454_0.
The September 26, 2024 meeting of the PCAOB's IAG included a discussion of audit firm ownership structures and funding arrangements, during which members observed a lack of reporting in this area. 41
Footnotes:
41 ? See PCAOB Investor Advisory Group Meeting (Sept. 26, 2024), available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024.
5. Cybersecurity Developments
Cybersecurity incidents have increased in recent years in size, frequency, and sophistication. Federal financial regulators have responded by imposing new cyber-specific reporting requirements. For example, the SEC has adopted new cybersecurity reporting requirements for public companies and proposed new cybersecurity reporting requirements for investment managers. 42 In proposing certain of these requirements, the SEC noted that
Footnotes:
42 ?See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Rel. No. 33-11216 (July 26, 2023); Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, SEC Rel. No. 33-11028 (Feb. 9, 2022).
[t]he U.S. securities markets are part of the Financial Services Sector, one of the sixteen critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. 43
Footnotes:
43 ?SEC Rel. No. 34-97142, at 8.
The SEC has further noted that
[c]ybersecurity risks have increased for a variety of reasons, including the digitalization of registrants' operations; the prevalence of remote work, which has become even more widespread because of the COVID-19 pandemic; the ability of cyber-criminals to monetize cybersecurity incidents, such as through ransomware, black markets for stolen data, and the use of crypto-assets for such transactions; the growth of digital payments; and increasing company reliance on third party service providers for information technology services, including cloud computing technology. 44
Footnotes:
44 ?See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Rel. No. 33-11038 (Mar. 9, 2022), at 6-7 (footnotes omitted).
Bank regulators now require that certain banks and their service providers notify regulators within 36 hours of cybersecurity incidents that have "materially disrupted or degraded" the organization. 45 In adopting these requirements, the banking regulators noted that "[c]yberattacks targeting the financial services industry have increased in frequency and severity in recent years."? 46
Footnotes:
45 ?See Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 FR 66424 (Nov. 23, 2021).
46 ? Id. at 66425 (footnote omitted).
PCAOB staff experience indicates that the cybersecurity landscape faced by audit firms continues to evolve and that cybersecurity incidents at audit firms are increasing in both volume and complexity. Accounting and financial data may be particularly attractive targets for such attacks. 47 Some reports suggest that cyberattacks on accounting firms increased by 300 percent in the several months after the onset of the COVID-19 pandemic. 48
Footnotes:
47 ? See Chris Gaetano, More than a third of orgs had accounting-related cyber incidents, Accounting Today Online (Feb. 8, 2023) ("A recent poll of C-suite and other executives from Big Four firm Deloitte showed evidence of this. It found that 34.5% of organizations have experienced at least one `cyber event' targeting accounting and financial data over the past year. Of these, 12.5% have experienced more than one. Executives don't expect this to ease up anytime soon either, as almost half-48.8%-expect that the number of cyber incidents will increase over the next year.").
48 ?See Gary Salman, The rise of cybercrime in the accounting profession continues, Accounting Today Online (Aug. 24, 2020); see also Maggie Miller, FBI sees spike in cyber crime reports during coronavirus pandemic, The Hill (Apr. 16, 2020).
The September 26, 2024 meeting of the PCAOB's IAG included a discussion of cyber risks in external audits. 49
Footnotes:
49 ? See PCAOB Investor Advisory Group Meeting (Sept. 26, 2024), available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024.
The increased prevalence of cybersecurity incidents has implications for the operations of audit firms, the degradation of which could impact their provision of audit services, as well as for improper access to confidential data of issuers and individuals by bad actors and other third parties.
6. Rulemaking History
[top] On April 9, 2024, the Board proposed to amend its annual and special
• Revise Form 2 to require more information regarding a firm's network arrangements; leadership and governance structure; and fees collected and client base, and implement a new requirement for the largest accounting firms to confidentially submit financial statements to the PCAOB on an annual basis and in conformity with an applicable reporting framework;
• Revise Form 3 to shorten the timeframe for reporting from 30 days to 14 days (or more promptly as warranted), and expand the scope of special reporting to include (on a confidential basis) events that pose a material risk, or represent a material change, to the firm's organization, operations, liquidity or financial resources, or provision of audit services;
• Implement new cybersecurity reporting requirements, including reporting of significant cybersecurity incidents within five business days on a confidential basis and public reporting of a description of a firm's policies and procedures, if any, to identify, assess, and manage cybersecurity risks; and
• Implement new Form QCPP to capture updates to a firm's quality control policies currently provided in a firm's application for registration (Form 1).
The Board received comment letters on the proposal from over 35 commenters across a range of affiliations, including firms and firm-related groups, investors and investor-related groups, trade groups, consultants, and others. Some commenters asked the PCAOB for more than 60 days to respond to the proposal, citing overlapping comment proposal periods, the duration of comment periods, the length and complexity of various proposals, and overlapping SEC Form 19b-4 filing comment periods. Some commenters recommended the PCAOB engage in further outreach, or re-propose, before finalizing any new Firm Reporting requirements. The Board believes that 60 days was a sufficient period for comment on the proposal. The Board notes that it continued to receive comment letters that were submitted after the 60-day period closed and those letters are considered in this release. The Board received robust comments on the proposal, which have importantly informed the final amendments. The Board considers the comments throughout this release.
Improvements To Audit Firm Reporting Requirements
The Board believes that the final amendments will improve audit firm reporting in several respects:
Decision-useful information. The Board's oversight indicates that quantitative and qualitative aspects of firm structure, resources, and operations could impact the ability of firms to conduct quality audits, and therefore more public disclosure about registered firms will facilitate informed decision-making and risk assessment by investors and audit committees. As discussed further in the economic analysis, because standardized disclosures by audit firms support audit committees' and investors' abilities to identify a firm whose characteristics best meet investor needs regarding the audit, the final amendments will ultimately enhance the quality of audits. In this regard, the Board notes that the newly required information should be useful both on its own and in conjunction with other public information regarding audit firms, including, for example, the metrics included in Firm and Engagement Metrics, if approved by the SEC. The Board further believes enhanced firm transparency will improve investor confidence in public company audits because it will increase the information available to efficiently and effectively evaluate a firm for ratification.
Some commenters, principally investor-related groups, supported the usefulness of the proposed information, including stating that the proposal can produce significant benefits to investors by providing information they currently do not have access to that can assist them in making more informed decisions about whether to vote to approve the ratification of the auditor or the election or reelection of board members, or in exercising their responsibilities for oversight of the audit committees of public companies. One commenter mentioned that the PCAOB would be able to standardize the information received, and mitigate the submission of incomplete, inaccurate, or insufficiently detailed information, thus facilitating the PCAOB's regulatory functions ( i.e., firm monitoring, the inspection program, enforcement investigations, and the PCAOB's standard-setting process). Some commenters, principally firms or firm-related groups, questioned the usefulness of the proposed information, including stating that the proposed information does not appear to be relevant or useful to investors or audit committees and questioning how the proposed requirements would impact audit quality. One commenter stated its belief that investor decision-making is based on issuer financial performance and not information about the firms that audit those issuers, highlighting the audit committee's statutory responsibility to represent the needs of investors.
In the discussion below, the Board summarizes and considers comments on this subject related to individual requirements, and sets forth the ways it is modifying the requirements in the final amendments to better focus on information that will be useful to stakeholders in their decision-making. In general, the Board continues to believe that enhanced information regarding audit firms will support audit committees' abilities to efficiently and effectively compare firms in their appointment decisions and monitoring efforts, and investors' abilities to efficiently and effectively compare firms in their ratification decisions and monitoring efforts, and in their capital allocation decisions. The required disclosures will also provide indirect benefits linked to audit quality, financial reporting quality, capital market efficiency, and competition, as discussed below.
Data and information to support the PCAOB's regulatory mission. The Board believes that more reporting by registered firms will (1) facilitate monitoring of firms for risks or issues that may affect the ability of firms to conduct quality audits and may potentially affect the broader market for audit services; (2) facilitate analysis and planning related to the PCAOB's inspection program; (3) identify circumstances or events that may warrant or inform enforcement investigations; and (4) inform the PCAOB's standard-setting and rulemaking processes. The Board notes the PCAOB actively engages in policy research related to the market for assurance services to further the PCAOB's mission by informing the standard-setting agenda, among other things. The additional data provided by this proposal will enhance the PCAOB's ability to produce impactful research and translate that gained knowledge into improved standards and rules. Relatedly, the additional data will also provide valuable information sources for the public, including academic research. Improved research quality is an important benefit, as it is an important element of the PCAOB's standard-setting projects.
[top] Some commenters agreed that the proposed requirements would enhance the PCAOB's oversight, including
Improved standardization of information. In addition to making more information available, formalizing reporting requirements will make the information more useful by increasing standardization and comparability. This will serve both public transparency interests and the PCAOB's regulatory function.
Some commenters, principally firms or firm-related groups, questioned whether the proposed requirements would achieve comparability, including stating that firms vary significantly in size and structure making it more difficult to compare firm to firm, stating that comparison of the information reported is unlikely to result in a ranking or judgment of one firm being more qualified than others to serve as auditor for an issuer or broker dealer, and encouraging the Board to clarify the information to be reported to support comparability. Similarly, some commenters called for an alternative disclosure regime, including one commenter who suggested an alternative similar to the EU's principles-based system which could provide similar public benefits at much lower cost.
In a discussion below, the Board summarizes and considers comments on this subject related to individual reporting requirements and discusses clarifications to reporting requirements which should support comparability. In general, the Board continues to believe that setting forth mandatory reporting requirements, as compared to voluntary reporting and/or supplemental or ad hoc information requests through the inspection process, will overall improve standardization and comparability of information available, as discussed in the economic analysis. At the same time, the reporting provisions permit narrative disclosures to accommodate the need for context for the reported information. The final amendments seek to balance the need for specificity in the requirements with the need to accommodate principles-based disclosure to permit judgment on the part of the firms regarding how to contextualize reported information.
Improved timeliness of certain information. By requiring certain special reports on a shorter timeframe, namely material events and cybersecurity incidents, enhanced special reporting requirements will get useful information to the PCAOB more quickly. As discussed below, commenters raised questions on the need for more timely reporting of existing Form 3 events, and in consideration of these comments and the Board's reporting objectives, the Board determined not to adopt the acceleration of the Form 3 deadline for existing reporting items. However, the Board has adopted accelerated reporting deadlines for material events and cybersecurity incidents because those events are, by definition in the final amendments, significant and likely to represent issues meriting more urgent reporting. For those events, the Board continues to believe more accelerated reporting to the Board is appropriate and will enable the Board to respond to potential disruptions or alterations in audit firm operations appropriately.
Key Provisions of the Final Amendments
In light of the above, the Board has enhanced the required reporting of certain information by registered firms:
• Financial Information: The Board has adopted amendments to require all registered firms to report on the Annual Report Form additional fee information, and to require the largest registered firms to confidentially submit financial statements to the PCAOB. The Board believes such information will provide insight into a firm's practice, focus, and incentives, and inform the PCAOB's oversight of registered firms. The Board also believes that public fee data will inform decision-making and risk assessment by investors, audit committees, and others.
• Governance Information: The Board has adopted amendments to require all registered firms to report on the Annual Report Form additional information regarding their leadership, legal structure, ownership, and other governance information, including reporting on certain key Quality Control operational and oversight roles. The Board believes that such information will help investors and audit committees to better understand firm processes and priorities, and to differentiate among firms with respect to, for example, leadership, oversight, and independence practices. Such information will also bolster the PCAOB's oversight of registered firms, complementing and improving upon the information already collected through the inspections process.
• Network Relationships: The Board has adopted amendments to require a more detailed public description on Form 2 of any network arrangement to which a registered firm is subject, including describing the network's structure, the registered entity's access to resources such as audit methodologies and training, whether the firm shares information with the network regarding its audits including whether the firm is subject to inspection by the network. The Board believes such information will give the PCAOB, investors and audit committees greater insight into how a network arrangement influences firm governance and the conduct of audits, including oversight and access to resources.
• Special Reporting: The Board has adopted amendments to implement a new confidential special reporting requirement for events material to a firm's organization, operations, liquidity or financial resources, such that they affect the provision of audit services. This provision is applicable to annually inspected firms. The Board believes that more formalized reporting of material events that will affect audit services will inform the PCAOB's oversight of registered firms and facilitate the Board's timely response to events that may potentially disrupt or alter the provision of audit services.
[top] • Cybersecurity: The Board has adopted amendments to require prompt confidential reporting of significant
• Updated Description of QC Policies and Procedures: The Board has adopted a new form that will require any firm that registered with the Board prior to the date that QC 1000 becomes effective (December 15, 2025) to submit an updated statement of the firm's quality control policies and procedures pursuant to QC 1000. The Board believes it is important that firms update the statement regarding their quality control policies and procedures, originally made in connection with their registration application on Form 1, to reflect the changes to their policies and procedures made in response to the new quality control standard.
1. Authority
As with the Board's original promulgations of Form 2 and Form 3, the Board's authority for the amendments and rules is well settled. 50 Section 102(d) of Sarbanes-Oxley provides that "Each registered public accounting firm shall submit an annual report to the Board, and may be required to report more frequently . . . to provide to the Board such additional information as the Board or the Commission may specify, in accordance with subsection (b)(2)." Subsection 102(b)(2)(H), in turn, provides that "Each public accounting firm shall submit, . . . in such detail as the Board shall specify . . . such other information as the rules of the Board or the Commission shall specify as necessary or appropriate in the public interest or for the protection of investors." This broad mandate leaves no doubt that the Board's authority rests on firm ground.
Footnotes:
50 ? See PCAOB Rel. No. 2008-004, at 4; see also Proposed Rules on Periodic Reporting by Registered Public Accounting Firms, PCAOB Release No. 2006-004, at 2 (May 23, 2006).
First, under the plain text of Section 102(b)(2)(H), the amendments and rules need only be either (1) "necessary" or (2) "appropriate," and either (a) "in the public interest" or (b) "for the protection of investors." Each of the reporting requirements adopted in this release plainly satisfies multiple-and at least one (which is all that is required)-of the four permutations that provide an avenue of authority.
As explained herein and in the proposal, the reporting of publicly available information will assist investors, and audit committees, among others, to better assess aspects of firm operations that may influence the conduct of audits. Both individually and collectively, this newly required information should provide a clearer, more complete picture of an audit firm and its capacity to perform audits. 51 Such utility applies a fortiori when the information is used in conjunction with other publicly available data, including Form AP data and data from Firm and Engagement Metrics.
Footnotes:
51 ?To the extent that these benefits improve audit quality, they also should enhance the credibility of financial reporting. See, e.g., Mark DeFond and Jieying Zhang, A review of archival auditing research, 58 Journal of Accounting and Economics 275 (2014) (asserting that audit quality improves financial reporting quality by increasing the credibility of the financial reports).
Confidentially reported information will similarly inform the Board, allowing the Board to learn about, or better understand, the operations of registered firms, providing a more comprehensive window into the health of registered firms and their capacity to perform audits. For instance, regular reporting of financial information by larger firms or special reporting of certain material events ( e.g., a report on a firm's likely inability to continue as a going concern) will allow the Board to anticipate a potential firm closure, including by notifying downstream regulators ( e.g., the Commission), which would allow those regulators to make appropriate preparations including, for example, issuing relief for affected issuers. Such a scenario is not merely hypothetical, as just this past year, the Commission issued an exemptive order for issuers to make certain Exchange Act filings in light of a registered firm shuttering its public company audit practice. 52 In addition, such reporting would allow the Board to provide appropriate guidance to its registered firms related to, for example, obligations of successor auditors.
Footnotes:
52 ? Order under Section 36 of the Securities Exchange Act of 1934 Granting Exemptions from Specified Provisions of the Exchange Act and Certain Rules Thereunder, SEC Release No. 34-100185 (May 20, 2024).
Information (whether reported publicly or confidentially) also will allow the Board to enhance or otherwise adjust its oversight as needed or as appropriate to protect investors and the public. Whether such enhancements or modifications to oversight take the form of inspection scoping, inspection frequency, or other regulatory actions, the result of the newly required disclosures is the same: the Board will have at its disposal greater information-both with respect to individual firms and trends across the audit market-to better oversee auditors of public companies, brokers, and dealers.
Second, Section 102(b)(2)(H)'s use of "appropriate" evinces Congress's intent to grant significant discretion to the Board to determine what types of reporting is in the public interest or to protect investors. Indeed, such statutory language "leave[s] [the Board] with flexibility"? 53 and "affords [the Board] broad policy discretion."? 54 That the new or enhanced reporting items described in the release fit neatly within the confines of that statutory discretion is evident by the enumerated categories of information that Congress required firms to disclose in Sarbanes-Oxley.
Footnotes:
53 ? Loper Bright Enters v. Raimondo, 144 S. Ct. 2244, 2263 (2024) (quoting Michigan v. EPA, 576 U.S. 743,752 (2015) (quotation marks omitted)).
54 ? Kisor v. Wilkie, 588 U.S. 558, 632 (2019) (Kavanaugh, J., concurring in the judgment) ("To be sure, some cases involve regulations that employ broad and open-ended terms like `reasonable,' `appropriate,' `feasible,' or `practicable.' Those kinds of terms afford agencies broad policy discretion, and courts allow an agency to reasonably exercise its discretion to choose among the options allowed by the text of the rule.").
[top] For instance, Congress mandated that firms disclose in their application for registration "annual fees received by the firm from each such issuer, broker, or dealer for audit services, other accounting services, and non-audit services, respectively,"? 55 and "such other current financial information for the most recently completed fiscal year of the firm as the Board may reasonably request."? 56 It requires no straining of "appropriate" to conclude that requiring that the same or similar fee and financial information be submitted annually (as opposed to only upon registration) is of a piece with Sections 102(b)(2)(B) and (C) of Sarbanes-Oxley. 57 That is especially so given that
Footnotes:
55 ?Section 102(b)(2)(B) of Sarbanes-Oxley.
56 ? Id. Section 102(b)(2)(C).
57 ?That same reasoning applies to "necessary" in Section 102(b)(2)(H) in Sarbanes-Oxley. See, e.g., Metrophones Telecommc'ns, Inc. v. Global Crossing Telecommc'ns, Inc., 423 F.3d 1056, 1068 (9th Cir. 2005) ("Given the reach of the [FCC's] rulemaking authority under §?201(b)"-which granted to the FCC the "broad power to enact such `rules and regulations as may be necessary in the public interest to carry out the provisions of this Act'?"-"it would be strange to hold that Congress narrowly limited the Commission's power to deem a practice `unjust or unreasonable.'?"); Brown v. Azar, 497 F. Supp. 3d 1270, 1281 (N.D. Ga. 2020) ("[W]hen an agency is authorized to `prescribe such rules and regulations as may be necessary in the public interest to carry out the provisions of the Act,' Congress' intent to give an agency broad power is clear."), appeal dismissed as moot, 20 F.4th 1385 (11th Cir. 2021) (mem.).
58 ? Id. Section 102(d).
Similarly, Congress mandated that firms disclose "a list of all accountants associated with the firm who participate in or contribute to the preparation of audit reports, stating the license or certification number of each such person, as well as the State license numbers of the firm itself."? 59 It strains credulity to think that the newly required disclosures-of the names of individuals serving in leadership positions, or of a firm's governance structure as a whole, or of a firm's network information-are outside the bounds of "appropriate" in light of the information (and the granularity of such information) that Congress required of firms when applying for registration. 60 Indeed, the Board originally construed network information as an appropriate subject of periodic reporting when the Board required it in 2008 when adopting Form 2. The final amendments merely require incremental additional information regarding network arrangements to increase the usefulness of the network disclosures by providing greater information regarding, for example, network members access to network resources.
Footnotes:
59 ? Id. Section 102(b)(2)(E) (emphasis added).
60 ?Section 101 of Sarbanes-Oxley supplies ancillary authority for this rulemaking. For example, Section 101(c)(5) empowers the Board to "perform such other duties or functions as the Board . . . determines are necessary or appropriate to . . . carry out this Act, in order to protect investors, or to further the public interest." In addition, Section 101(g)(1) provides rulemaking authority to the Board, specifying that the Board's rules "provide for the operation and administration of the Board, the exercise of its authority, and the performance of its responsibilities under" Sarbanes-Oxley.
Some firm and firm-related groups questioned the Board's statutory authority to require the proposed information. Commenters believe that the Board's authority under Section 102(b)(2) is more limited than the Proposal's interpretation. One commenter stated that the Board's reliance on the phrase "such other information" in Section 102(b)(2)(H) is constrained and, in analogizing to a Supreme Court ruling, expressed that "statutory reference" to the adoption of regulations that are "necessary or appropriate" does not give an agency "authority to act, as it [sees] fit, without any other statutory authority." This commenter argued that the phrase "such other information" must refer to items "similar in nature to those objects enumerated by the preceding specific words" ( i.e., the Board's authority to require the provision of "other" information under subsection (b)(2)(H) is limited to information of the type enumerated in subsections (b)(2)(A) through (b)(2)(G), which includes the names of clients, fees received from issuers and broker-dealers, certain other financial information, quality control policies, the names of accountants, criminal or civil proceedings, and instances of accounting disagreements). As explained above however, the required disclosures are in fact similar in nature to those statutorily enumerated reporting items and also fall within the Board's authority under subsection (b)(2)(H).
Another commenter stated that none of the proposed requirements are covered under Sections 102(b)(2)(A) through (G), that the Sarbanes-Oxley Act does not give the PCAOB authority to tell audit firms how to run their businesses, and that monitoring audit firm financial stability and market risk is not within the PCAOB's remit. That position, however, does not account for Congress's mandate that firms disclose on their registration applications "annual fee [?]" and "current financial information," as set forth in Sections 102(b)(2)(B) and (C) of Sarbanes-Oxley, and Congress's empowering the Board to require firms to "update the information contained in [their] application[s] for registration" annually or "more frequently," as set forth in Section 102(d). Moreover, nothing in this rulemaking is intended to "tell audit firms how to run their businesses." For example, the rulemaking does not contemplate a preferred governance structure for firms (let alone mandate such a structure); the rulemaking merely requires disclosure of a firm's governance structure, whatever that structure may be. Commenters also specifically asserted that the Board's rulemaking authority under Section 101(c)(5) is not a "catch all" authority for the Board to adopt any rule that it deems in the public interest. One commenter expressed that this provision does not grant the Board the authority to engage in rulemaking, and the "public interest" and "necessary or appropriate" clauses place the same constraints on the Board mentioned above. In other words, the commenter stated, a "statutory reference" to the performance of duties or functions that are "necessary or appropriate" does not give an agency "authority to act, as it [sees] fit, without any other statutory authority."
Although the Board agrees that "necessary" and "appropriate" are not unbounded, they provide a broad degree of discretion and flexibility, as noted above and as recognized by courts. 61 Moreover, Section 102(b)(2)(H) expressly contemplates the provision of "other information" the Board may require through rulemaking. Courts have described such statutory language as signifying "a catch-all provision."? 62 In fact, based on its plain meaning, one appeals court has read "other" as necessarily introducing categories that are distinct from anything that preceded it, meaning that "such other information" in Section 102(b)(2)(H) need not "address" the types of information in Sections 102(b)(2)(A)-(G). 63
Footnotes:
61 ? See supra footnotes 54 and 55 and accompanying text; see also footnote 58.
62 ? Navajo Nation v. Dalley, 896 F.3d 1196, 1212 (10th Cir. 2018); see also, e.g., Madison v. Virginia, 474 F.3d 118, 133 (4th Cir. 2006) ("other Federal statute prohibiting discrimination" is a "catch-all provision"); cf. Meehan v. Atl. Mut. Ins. Co., 2008 WL 268805, at *7 (E.D.N.Y. Jan. 30, 2008) ("The term `other policies' now accomplishes the task of including all governmental activity and becomes a catch-all phrase including all other policies not already implied[.]" (citations and quotation marks omitted)).
63 ? Navajo Nation, 896 F.3d at 1212-13 ("Congress expressed its scope in broad terms, to encompass `any other subjects that are directly related to the operation of gaming activities.' But the key word here is `other.' . . . And applying the ordinary and everyday meaning of the word `other' . . . , it becomes patent that Congress did not intend for that clause to address the `subjects' covered in the preceding clauses of subsection (C)[.]" (citation omitted)).
[top] Further, with respect to the assertion that Section 101(c)(5) is not a "catch-all" for the Board to adopt any rule it deems in the public interest, the Board notes that Section 101(c)(5) uses the same statutory language "other" as Section 102(b)(2)(H), discussed immediately above. For that reason, Section 101(c)(5) would be aptly
Footnotes:
64 ? See supra footnote 63.
65 ?Section 101(c)(5) of Sarbanes-Oxley.
This release has outlined how the disclosures mandated will enhance transparency and bolster the PCAOB's oversight capabilities. Such enhancements are designed to improve PCAOB oversight and inform investor and audit committee decisions, and in turn to protect investors and enhance audit quality, fully aligning with the overarching objectives of Sarbanes-Oxley, and therefore are appropriate exercises of the Board's authority under Section 102. 66
Footnotes:
66 ?In response to the concerns raised by firm commenters regarding the Board's use of Sarbanes-Oxley's relevant "necessary and appropriate" clauses, it is important to clarify that the Board has not claimed any implicitly delegated authority beyond the regulatory parameters established by Congress. The use of the Section 101 and 102 authorities in this rulemaking is firmly grounded within the explicit mandates provided by Sarbanes-Oxley, and is consistent with the statutory limitations and directives outlined in those provisions. The Board's application of these authorities has been aimed at enhancing transparency and regulatory oversight, and therefore ultimately the quality of audits of issuers and broker-dealers, which directly aligns with the PCAOB's core mission to protect investors and the public interest. The Board has utilized the tools provided by Sarbanes-Oxley to carry out the responsibilities entrusted to us.
Other commenters specifically raised concern related to reporting requirements extending beyond a registered firm's issuer and broker-dealer audit practice. In this vein, commenters raised authority concerns with respect to particular aspects of the proposed requirements:
• Fee reporting unrelated to issuer and broker-dealer audits.
• Financial statements reporting, which would include financial information beyond the audit practice.
• Cybersecurity incident reporting unrelated to a firm's issuer or broker-dealer audit practices.
• Governance reporting such as processes governing a change in the form of organization.
• Network-related reporting requirements which called for information regarding the registered entity's relationship to an unregistered entity.
• Material event reporting, which called for events material to the firm broadly.
The PCAOB's statutory mandate is not circumscribed to information related specifically to issuer or broker-dealer audits. Indeed, Section 102(b)(2)(B) expressly contemplates the provision of information relating to "other accounting services" and "non-audit services." That makes sense, as information related to a registered firm's broader operations is relevant to the conduct of the audit practice. 67 Nevertheless, the proposed requirements were crafted to elicit reporting regarding aspects of a firm's operations that are linked to its conduct of audits as described above, including the relationship of the audit practice to the overall business, firm and network resources available for the audit practice, and events at the firm level that will affect the firm's ability to conduct audits. In consideration of comments and the Board's intended reporting objectives, nearly all of the specific requirements listed above have been modified to more firmly link the reporting requirement to aspects of the firms' operations that may influence the conduct of audits overseen by the PCAOB, as described in more detail below. 68
Footnotes:
67 ? See PCAOB Release No. 2006-004, at 4 (the Board describing that it intended fee reporting across all areas of the firm's business to provide a "picture of how the firm's services for issuer audit clients compare generally with the firm's services for other clients, and [?] also [to] provide a picture of the allocation of services the firm provided to issuer audit clients").
68 ?With respect to financial statement reporting, the Board has modified the requirement to reduce costs to firms as discussed below. In addition, the Board notes that the requirement as initially proposed (and as the Board has adopted) is already narrowly tailored to the largest firms, which have an outsize impact on the capital markets.
Lastly, as noted above, the Board reiterates that the final amendments set forth reporting requirements and do not purport to regulate how audit firms conduct their businesses. The final rules do not impose obligations on firms beyond reporting certain specified information.
2. Confidentiality
Information To Be Reported Publicly
The proposal clarified that certain of the information provided in response to the new reporting items would be reported publicly, namely enhanced fee information, governance and network information, and information related to a firm's policies and procedures, if any, that are intended to manage cybersecurity risks. 69 The Board did not propose to permit confidential treatment requests for the publicly reported information. Permitting confidential treatment would be inconsistent with an important goal of these enhanced reporting requirements-informing investors, audit committees, and other stakeholders, and promoting investor confidence in public company audits and financial reporting. Moreover, the Board explained in the proposal that it believed public disclosure of the proposed information was consistent with Sarbanes-Oxley.
Footnotes:
69 ?The proposal also contemplated a public one-time update to the "Statement of Applicant's Quality Control Policies," as discussed below.
Specifically, Section 102(e) of Sarbanes-Oxley provides that reports required under that section "shall be made available for public inspection, subject to rules of the Board or the Commission, and to applicable laws relating to the confidentiality of proprietary, personal, or other information." Additionally, it requires the Board to "protect from public disclosure information reasonably identified by the subject accounting firm as proprietary information." Consistent with the approach the Board has taken in its consideration of confidential treatment requests for information required by its existing forms, the Board understands "proprietary" to mean a formula, practice, process, or design owned by a particular firm that the firm keeps private for competitive advantage. 70 The Board did not believe at the time of the proposal that the information it proposed for public reporting would require disclosure of such proprietary information or, based on the Board's experience in this area, that any other law shields the proposed information from disclosure.
Footnotes:
70 ? See Black's Law Dictionary (11th ed. 2019) (cross referencing "proprietary information" and "trade secret").
The Board believed that much of the information proposed to be publicly reported is of the type that is already made public in some form by audit firms, including in existing transparency reporting, or is otherwise publicly available (although not currently centralized or presented on a comparable basis), and the Board designed the proposed reporting requirements to avoid disclosure of personal-identifying or client-specific information that might be protected by law, or that would be proprietary as the Board understands the term.
[top] Some commenters expressed concerns that the Board's proposal would not permit confidential treatment requests
Lastly, some commenters questioned the PCAOB's decision to require public reporting of some items, stating that the proposal does not give sufficient weight to the way Congress envisioned investors would be protected, which is through the PCAOB's inspection process, a process that Congress carefully structured with appropriate confidentiality safeguards to encourage robust exchanges of information and perspectives between the firms and the PCAOB.
The reporting requirements have been modified in response to comments, as discussed below, to further reduce the possibility that they call for reporting proprietary information, including in connection with the network-related reporting requirements. The Board has further clarified in the release that the requirements are not designed to elicit proprietary information, that information is sought at a high enough level to exclude proprietary information, and that the requirements are sufficiently principles-based to provide flexibility in reporting, including as it relates to network-related information and Form QCPP. The Board further notes that issuer fee information is reported in SEC filings and therefore is already public. Lastly, the reporting requirements have been modified to limit the disclosure of individual names to all but the most senior positions. Thus, the Board believes that the final amendments do not require the disclosure of information that a firm could reasonably identify as proprietary, and that, based on the Board's experience, no other law shields the required information from disclosure.
By adopting this approach, the Board believes that prohibiting confidential treatment requests for the carefully tailored public reporting items will further the public interest in increased transparency while adhering to its obligation to protect certain categories of firm information.
In addition, the Board notes that Sarbanes-Oxley expressly provides for the public reporting of audit firm information. Comments suggesting that investor protection is principally achieved through non-public submission of information to the PCAOB through its inspection processes do not adequately account for this aspect of Sarbanes-Oxley. The Board has carefully weighed its authority and obligations under Sarbanes-Oxley when considering what reporting to make public and what information to require on a non-public basis.
Some commenters expressed general concerns regarding the disclosure of personal data by non-U.S. firms. The Board notes it is narrowing the category of individuals identified under the final rules to more senior roles likely to be public. See below for a more complete discussion of personal identifying information and provisions regarding conflicts of laws and non-U.S. firms, including that the Board has permitted assertions of conflicts in connection with the disclosure of certain QC roles.
Information To Be Reported Confidentially
Under the proposal, certain other information would be provided to the PCAOB confidentially, namely special reporting of material events, cybersecurity incident reporting, and financial statements from the largest firms. 71 In proposing not to make this information publicly available, the Board weighed the public interest in public reporting of this information, the potentially sensitive and developing nature of the information requested, and the Board's obligations under Sarbanes-Oxley.
Footnotes:
71 ?Such information described herein would be reported confidentially without a need for the firm to request confidential treatment.
With respect to material event reporting, the Board noted the potentially sensitive and developing nature of this information. For example, the material event reporting item contemplated advance reporting of events that are anticipated and may still be developing. Cybersecurity incident reports, similarly, may involve developing events. As detailed below, the Board believes the PCAOB has a regulatory interest in timely notice of these types of events. However, the Board believes firms may be in a better position to report fully and candidly to the PCAOB about developing events if they are confident that the information would be confidential and part of an ongoing dialogue between the firm and the PCAOB regarding such events.
Further, with respect to cybersecurity incident reporting, the Board considered the potential that public reporting of such information could create vulnerabilities for the audit firm ( e.g., reporting would provide information that bad actors could leverage against the audit firm) in addition to the potentially developing nature of such incidents at the time of reporting. While the Board believes that cybersecurity incident information could be reported in a summary fashion that both protects the audit firm and informs the public, the Board thinks it may better facilitate timely reporting of such information if firms are not required to expend the resources and time necessary to consider the implications of public reporting of cybersecurity incident information and carefully scope it in deference to public reporting. In addition, the Board notes that there are state and consumer laws and regulations that require notification to individuals in cases of compromised data.
Finally, in certain limited circumstances, some of the financial information included in financial statements may be subject to laws relating to the confidentiality of proprietary, personal, or other information, or might reasonably be identified by a firm as proprietary, and there the Board would need to honor a firm's properly substantiated request for confidential treatment of such information. The Board does not believe the public interest would be served by incomplete, piecemeal reporting of a firm's financial information.
[top] Some commenters recommended that the Board expand the scope of publicly reported information by making audit firm financial statements public. Some commenters encouraged the PCAOB to maintain confidentiality in perpetuity for items collected under this new disclosure regime ( i.e., financial statements, cybersecurity incidents, and certain special reporting events). A commenter requested that the PCAOB clarify explicitly whether these new reporting items would remain confidential. One urged the Board to provide more detail on confidentiality protections over these enhanced areas of reporting. Another suggested that the expanded fee information, cybersecurity related policies and procedures, and certain firm governance and global
As explained in the proposal, the Board sought to achieve a balance between protecting potentially proprietary, sensitive, and developing information that could reveal firm vulnerabilities, on the one hand, and serving the public interest in transparency on the other. The Board still believes it strikes an appropriate balance to require that the financial statement, material event, and cybersecurity incident reporting requirements be confidential, while requiring other reporting areas to be public. The Board believes that much of the information required to be publicly disclosed is of the type that is already publicly available in some format, i.e., the type of fee, governance, and network information that the Board requires is of the type that some firms already report in voluntary transparency reports or on their websites. Moreover, in cases where such information is not currently in the public domain, the nature of the applicable disclosure requirement is sufficiently general and principles-based that it should not expose a firm to significant vulnerabilities or the disclosure of proprietary information. And the Board has further modified the final amendments to mitigate the possibility of the disclosure of proprietary information or personal data in the public reporting requirements, as discussed above. At the same time, the Board continues to believe that the potentially proprietary, sensitive and developing nature of certain information militates in favor of confidential reporting, and that confidential reporting would promote more candid reporting that would better serve the PCAOB's regulatory oversight objectives.
In addition, the Board clarifies that it does not intend to make public the information that would be reported confidentially under the final amendments. Discussion in the proposal of information that may be made public in the future was limited to two scenarios. First, the proposal stated that the Board intended to analyze reported information to determine if further information should be made public pursuant to a later rulemaking. In other words, the Board may in the future require additional public reporting, but such reporting would be required pursuant to a further rulemaking initiative. The Board does not intend to retroactively make public information submitted under the final amendments. Second, the Board may consider making certain reported information public in an anonymized and aggregated fashion that would not compromise the confidential nature of any individual firm's disclosure. This is consistent with the Board's current practice in, for example, staff publications? 72 and is consistent with the Board's obligations under Sarbanes-Oxley to protect certain categories of information. Neither discussion was intended to convey that the Board intended to make public any information submitted by an individual firm on a non-public basis pursuant to the final amendments.
Footnotes:
72 ? See PCAOB, Staff Publications, available at https://pcaobus.org/resources/staff-publications.
Confidential Status of Reported Information
Some commenters suggested that any information required by the proposal should be submitted by firms to the PCAOB only through the inspections process so that the information acquired the protections of Section 105(b)(5) of Sarbanes-Oxley. One commenter expressed that it is unclear whether confidentiality protections under Section 102 of the Sarbanes-Oxley Act would provide the same level of assurance of confidentiality protection as that provided by Section 105(b)(5). This commenter discussed that it would be unclear how the Board interprets its duties under the Sarbanes-Oxley in scenarios where the PCAOB receives requests for confidential information from third parties not covered by Section 105(b)(5) and where the PCAOB makes information reported under the proposal available to other agencies. Another similarly stated that any information the Board is seeking for its own use in overseeing registered firms through confidential submissions should continue to be collected pursuant to the PCAOB's inspection process. A commenter also asserted that the PCAOB should clarify that Section 105(b)(5) applies to any information or data reported to the PCAOB on a confidential basis.
Under Sarbanes-Oxley Section 102(e), the information provided under this section "shall be made available for public inspection, subject to rules of the Board or the Commission, and to applicable laws relating to the confidentiality of proprietary, personal, or other information contained in such applications or reports, provided that, in all events, the Board shall protect from public disclosure information reasonably identified by the subject accounting firm as proprietary information."
In addition, under Section 105(b)(5) of Sarbanes-Oxley, "information prepared or received by or specifically for the Board, and deliberations of the Board and its employees and agents, in connection with an inspection under section 104 or with an investigation under Section 105, shall be confidential and privileged as an evidentiary matter" subject to certain limitations and exceptions.
The Board has relied principally on Section 102, rather than Sections 104 or 105, to require reporting of the information to be provided under the final amendments, but has set forth in the final amendments that certain categories of information shall be confidential. In general, as described above, the Board does not intend to make public the information reported confidentially by an individual firm under the final amendments. 73
Footnotes:
73 ?This is subject to the enumerated exceptions in Section 105 related to sharing with, among other entities, the SEC.
[top] The Board notes that it is the intended purpose of the final amendments that the information be used in connection with inspections authorized under Section 104 as detailed below. 74 In particular, the Board currently collects financial statements for certain large firms as part of its inspection process as noted in the proposal. The financial statement reporting requirement included in the final amendments is intended to improve the standardization and consistency of the provision financial statements, specifically with reference to (though not expressly limited to) their use by the inspection staff in the course of annual inspections of those firms. In this regard, the Board believes that the information collected on a confidential basis under the final amendments to inform the PCAOB's oversight of firms, particularly financial statements collected to inform inspections, may be subject to the privileges afforded information received by the Board in connection with an inspection under Section 104. 75 To make more apparent the Board's intention in this regard, the Board has moved the rule mandating the reporting of financial statements to Section 4: Inspections in the Board's rules and renumbering accordingly. The Board believes this renumbering is more
Footnotes:
74 ?This does not foreclose other uses.
75 ?Subject to certain exceptions, documents and information prepared or received by or specifically for the Board, in connection with an inspection under Section 104 of Sarbanes-Oxley, shall be confidential and privileged as an evidentiary matter under Section 105(b)(5) of Sarbanes-Oxley.
With respect to confidentially reported information, the Board notes there are compelling reasons to resist any publication or sharing of this information as discussed throughout the release. For example, material event reporting may implicate information that is sensitive and/or proprietary and, in certain instances, protected from disclosure under Sarbanes-Oxley. Cybersecurity incident reporting may implicate information that could give rise to security issues for registered firms or otherwise compromise sensitive aspects of a firm's operations.
Finally, the Board observes that, with respect to information reported confidentially, the Board has historically provided firms an opportunity to request notification in the event that the Board is requested by subpoena or other legal process to disclose such reported information. 76 The Board believes that such a provision is appropriate with respect to the confidentially reported financial statements, material events, and cybersecurity incidents and are modifying Forms 2 and 3 to provide firms this option.
Footnotes:
76 ? See, e.g., Form 1-WD, General Instruction 5 ("Pursuant to Rule 2107, any Form 1-WD filed with the Board shall be non-public. A registered public accounting firm may submit with Form 1-WD a request for Board notification in the event that the Board is requested by subpoena or other legal process to disclose the Form 1-WD. The Board will make reasonable attempts to honor any such request, although the Board will make public the fact that the firm has requested to withdraw from registration.").
3. Assertion of Conflicts of Laws
The Board acknowledges that there may be certain limitations with respect to the data or information about a firm and its personnel that a firm may communicate publicly because public dissemination of it may conflict with a non-U.S. law. In considering whether to allow the opportunity to assert conflicts, the Board has considered both whether it is realistically foreseeable that any law would prohibit providing the required information and, even if it were realistically foreseeable, whether allowing a firm preliminarily to withhold the information is consistent with the Board's broader responsibilities and the particular regulatory objective. 77 In addition, even where the Board has allowed registered firms to assert legal conflicts in connection with other forms, that accommodation does not entail a right for a firm to continue to withhold the information if it is "sufficiently important."? 78
Footnotes:
77 ? See PCAOB Rel No. 2015-008, at 37.
78 ? See, e.g., PCAOB Release No. 2008-004, at 37-38 n.37.
At the time it implemented Form 2, the Board extended an accommodation to registered non-U.S. firms by permitting them to request confidential treatment of information provided in response to Form 2, Item 3.2 (Fees Billed to Issuer Audit Clients). 79 The staff's experience of reporting in response to that item has suggested that such an accommodation is not necessary. The Board has not granted a request for confidential treatment for information reported under this item, and it is not aware of any law that prohibits providing the fee information that is currently required or the fee information that the Board proposed to require. The Board notes that audit firm fee information is routinely reported under various international transparency directives, as well as pursuant to SEC issuer reporting requirements. Accordingly, the Board proposed to revise the instructions to Form 2 to delete the language permitting foreign registered firms to seek confidential treatment of information provided in response to Form 2, Item 3.2.
Footnotes:
79 ?For a firm to request confidential treatment, PCAOB Rule 2300, Public Availability of Information Submitted to the Board; Confidential Treatment Requests, at (c)(2) requires both a representation that the information has not otherwise been publicly disclosed and either (1) a detailed explanation of the grounds on which the information is considered proprietary, or (2) a detailed explanation of the basis for asserting that the information is protected by law from public disclosure and a copy of the specific provision of law.
With respect to the remaining information the Board proposed to require (with the limited exceptions of certain QC roles identified below), based on the Board's experience in this area, the Board did not foresee a realistic possibility that any law would prohibit a firm from providing the information. As noted above, in general, the Board believes that the information to be publicly reported is of the type that is already made public in some form by audit firms, including in existing transparency reporting, or is otherwise publicly available. The Board has also designed the reporting requirements with a view to avoiding personal identifying or client-specific information of the sort that could be protected by law. 80
Footnotes:
80 ?The Board acknowledges certain requirements call for the names and titles of those in audit firm leadership positions. However, the Board believes the reporting requirements call for information regarding individuals in sufficiently senior positions that such information should already be public, with the limited exceptions of certain QC roles discussed below assertions of conflicts will be permitted for non-U.S. firms.
Several commenters urged the PCAOB to retain the existing confidentiality treatment provision in Form 2 and extend such provision to cover the proposed disclosure items in order to allow non-U.S. firms to request confidential treatment where a required disclosure by a firm would be in conflict with applicable local laws/regulations. Commenters clarified that allowing such requests would protect against future conflicts of law that might develop. One commenter stated that they understood from non-U.S. firms that some of the proposed new required disclosures go beyond what non-U.S. regulators require and may lead to violations of local laws resulting from disclosure of information that non-U.S. auditors are required to keep confidential.
As an initial matter, after considering the comments, the Board has decided to maintain its decision to eliminate the instructions to Form 2 with the language permitting foreign registered firms to seek confidential treatment of information provided in response to Form 2, Item 3.2. Commenters have not brought to the Board's attention specific laws that would prohibit disclosure of this item, including in its amended form requiring fee amounts. The Board received general comments on fee amounts, as opposed to proportions, implicating proprietary information. However, the Board notes the fee information would be reported on an aggregated basis. Even if a firm has limited clients or a single issuer client, it is not clear how that would implicate information that would be prohibited from disclosure by law, especially in light of the public reporting of such information under SEC rules.
[top] With respect to personal data, as discussed below, the Board has limited requirements to only the more senior roles that it believes are most likely to be public. With respect to certain individual names that may be less senior or less likely to be otherwise publicly disclosed (QC operational and oversight roles), the Board further is permitting non-U.S. firms to assert conflicts. Commenters did not identify other categories of personal data that could not be disclosed under foreign law. In general, the comments the Board received on this issue did not identify specific provisions of laws, or existing rulemaking efforts, that would create conflicts between those laws and specific proposed metrics. The conflicts purportedly identified were instead general or speculative in nature.
Discussion of the Reporting Updates
The Board has adopted amendments to Forms 2 and 3 to impose new reporting requirements, and to implement a new form for firms to update their "Statement of Applicant's Quality Control Policies" reported on Form 1? 81 on a one-time basis. This section discusses the specific amendments.
Footnotes:
81 ?The Statement of Applicant's Quality Control Policies is currently reported on Form 1.
Financial Information
1. Fee Information
The Annual Report Form currently requires firms to report the percentages of total fees that were billed to issuer clients for audit services, other accounting services, tax services, and non-audit services relative to the total fees billed for the period. 82 When the Board originally conceived this requirement, it intended for it to provide "a picture of how the firm's services for issuer audit clients compare generally with the firm's services for other clients, and . . . also [to] provide a picture of the allocation of services the firm provided to issuer audit clients."? 83 The Board continues to believe that such information is useful to investors and audit committees in understanding a firm's audit practice, individually and relative to other services provided. In the proposal, the Board explained that it believed requiring reporting in actual dollar amounts, rather than percentages, and providing more complete and further disaggregated fee information, would increase the benefit of this reporting requirement.
Footnotes:
82 ? See Form 2, Item 3.2.
83 ? See PCAOB Release No. 2006-004, at 4. With respect to the PCAOB's regulatory authority to impose requirements to disclose non-audit related fees, Sarbanes Oxley Section 102(d) gives the PCAOB authority to require "additional information as the Board or Commission may specify, in accordance with subsection (b)(2)." Section 102(b)(2)(H), in turn, specifies that such information can be necessary or appropriate in the public interest or for the protection of investors. Here, obtaining additional data on non-audit services allows Form 2 user to better assess how the firm's audit practice compares to other parts of its business. This is consistent with the PCAOB's original rationale for collecting information for fees from non-audit services.
Accordingly, the Board proposed to amend Form 2, Item 3.2 to require enhanced information regarding a firm's audit fees. Specifically, the Board proposed to require firms to report:
• Fees for audit services, in total and from
• issuers;
• broker-dealers;
• and other companies under audit (delineating sources, e.g., fees from private company audits and custody rule audits);? 84
Footnotes:
84 ?PCAOB Rule 1001, Definitions of Terms Employed in Rules, at (a)(vii) defines "audit services" as follows:
With respect to issuers, the term "audit services" means professional services rendered for the audit of an issuer's annual financial statements, and (if applicable) for the reviews of an issuer's financial statements included in the issuer's quarterly reports or services that are normally provided by the accountant in connection with statutory and regulatory filings or engagements for those fiscal years; With respect to brokers and dealers, the term "audit services" means professional services rendered for the audit of a broker's or dealer's annual financial statements, supporting schedules, supplemental reports, and for the report on either a broker's or dealer's compliance report or exemption report, as described in Rule 17a-5(g) under the Exchange Act.
• Fees from other accounting services;? 85
Footnotes:
85 ?PCAOB Rule 1001(o)(i) defines "other accounting services" as assurance and related services that are reasonably related to the performance of the audit or review of the client's financial statements, other than audit services.
• Fees from tax services;? 86 and
Footnotes:
86 ?PCAOB Rule 1001(t)(i) defines "tax services" as professional services rendered for tax compliance, tax advice, and tax planning.
• Fees from non-audit services. 87
Footnotes:
87 ?PCAOB Rule 1001(n)(ii) defines "non-audit services" as all services other than audit services, other accounting services, and tax services.
The proposal, in contrast to the current Form 2 requirement, would have required reporting of fees billed in these categories from all clients rather than from issuer audit clients.
Some commenters generally supported the proposed enhanced fee requirements, with one commenter noting that the allocation of fees between issuers, broker-dealers, and non-PCAOB clients may be useful to investors and audit committees in assessing the qualifications of potential audit firms. One commenter noted that the disaggregation of fees between issuer and broker-dealer audit clients may provide relevant information about the nature of the firm's activities and expressed support for disclosure that enabled comparison of a firm's issuer audit practice as compared to its other practice.
Some commenters expressed concerns about the usefulness of proposed enhanced fee reporting, including skepticism that reporting in actual fee amounts would provide greater insight than fee information reported in percentages, noting the proposed fee categories deviate from fee disclosures required in SEC proxy statements and suggesting the fee information in existing Form 2 requirements and proxy statements provides adequate insight into audit fees. One commenter suggested that retaining percentage-based disclosure would allow stakeholders to remain focused on meaningful metrics. One commenter stated the proposed fee disclosure was tantamount to detailed segment disclosure of revenue across service lines and suggested the proposed requirement conflicts with the Board's proposed confidential approach to reporting financial statements. Some commenters questioned whether any inferences regarding audit quality could be drawn from the proposed fee disclosures and one suggested fee disclosures, if any, should be limited to fees for services to issuers and broker-dealers and fees provided to other clients. Some commenters also questioned whether the proposed fee disclosures would increase comparability, noting the differences of size and structures of firms.
[top] Other commenters stated that reporting fees at the proposed level of granularity would represent substantial costs for firms, with one commenter particularly highlighting difficulties of reconciling timing and allocation of private company audit fees. That commenter also stated that the level of precision the proposal would require is inconsistent with the PCAOB's original rationale for fee reporting and suggested more research before implementing the proposed requirement. Another commenter stated that reporting fees at the proposed level of specificity would require transformation of finance systems for many firms, stating that the proposal would eliminate a reliable existing source of fee data in SEC disclosures, remove the current Form 2 provision that allows for estimates, and require special tracking fees for the new PCAOB fee categories. Another commenter stated that, because its issuer audit practice is small, the costs of fee disclosure would be disproportionate to the number of audits impacted. One commenter suggested that, if the Board proceeds with the fee proposal, it should be modified to allow estimates, allow use of data already required to be provided in SEC filings, allow for reporting based on client or firm fiscal year end, and allow firms to
Some commenters questioned whether the proposed disclosure of fees regarding non-PCAOB audits were within the PCAOB's remit or opposed the level of disaggregation of the audit fees for non-PCAOB audits. Some commenters suggested that the proposed disclosure of fees related to non-PCAOB audits was in tension with the clarification and distinction between services subject to and not subject to PCAOB oversight discussed in proposed Rule 2400, Proposals Regarding False or Misleading Statements Concerning PCAOB Registration and Oversight and Constructive Requests to Withdraw from Registration or could cause confusion about the scope of the Board's oversight that could lead to a false sense of confidence in non-PCAOB aspects of a firm's operations. Other commenters suggested the proposal steps into the regulation of non-PCAOB audits.
In addition, commenters asked for clarification regarding the shift from requiring disclosure of fees billed to issuers to fees billed to all clients. Finally, some commenters asked for a materiality or de minimis threshold for fee disclosures. One commenter stated that, under current Form 2 reporting requirements, it would take a material difference in fees to shift the percentage that is reported.
The Board also solicited comments on whether it should consider changing the Form 2 reporting period, including to align with Form FM, which commenters opposed.
The Board has adopted enhanced fee disclosure requirements with modifications. The Board continue to believe that requiring disclosure of actual fee amounts, rather than percentages, will increase the usefulness of fee reporting. For example, disclosing actual fee amounts of issuer audit fees will permit stakeholders to ascertain the size of a firm's audit practice, isolate firms of similar size, and compare fee information across a subset of similarly sized firms. In addition, the Board continues to believe that, despite the availability of issuer-level fee data in SEC filings, it is beneficial to provide aggregated data to stakeholders, particularly investors, for whom it would represent a significant cost to compile similar information from SEC filings.
In consideration of comments, the Board has eliminated the proposed requirement to provide disaggregated data for audit services billed to non-issuer and non-broker-dealer clients ( i.e., to non-PCAOB clients). In addition, the Board has eliminated the requirement to report fees billed to all clients for each of the four fee categories. While the Board continues to believe that it is both within the PCAOB's statutory authority, and an appropriate exercise of that authority, to require reporting of information regarding an audit firm's operations that may bear on its audit practice, the Board is mindful of comments regarding the costs and ambiguities of disclosing at the proposed level of granularity.
Accordingly, the modified amendment will require firms to report the amount of fees billed to issuer audit clients for audit services, other accounting services, tax services, and non-audit services during the reporting period. These amounts represent the numerator for the proportion that must currently be calculated in order to report the percentages currently required on Form 2. In other words, this amendment should not require any additional tracking or calculation by firms. In addition, the modified requirement would require firms to report the total fees billed by the firm to all clients for services rendered during the reporting period. This amount represents the denominator for the proportion that must currently be calculated in order to report the percentages currently required on Form 2. Therefore, again, this amendment should not require any additional tracking or calculation by firms. Finally, the modified requirement will require firms to report fees billed to broker-dealer audit clients during the reporting period. The Board agrees with commenters that supported this element of the proposal and continues to think it is appropriate to provide some insight into the broker-dealer practice in relation to the firm's other practices.
Further, in a change from the proposal, for fees billed to issuer audit clients, the modified requirement will retain Form 2's existing provision permitting a firm to identify whether it is reporting amounts for the Form 2 reporting period or fee amounts disclosed to the Commission by those clients for each client's fiscal year. It will further retain Form 2's existing provision allowing firms to indicate if they have used a reasonable method to estimate amounts and to describe its reasons for doing so. It will not retain the Form's current rounding provision as that provision refers to rounding reported percentages to the nearest five percent and would be inapplicable to reported amounts. Instead, it will substitute language permitting rounding to the nearest dollar amount.
The Board believes these changes will ease implementation and costs associated with enhanced fee reporting while still providing the most useful proposed additional information to investors, audit committees, and other stakeholders, and better aligning the fee disclosure requirement on Form 2 with those required in other jurisdictions, such as the EU. 88
Footnotes:
88 ?The changes will not accomplish perfect alignment with EU reporting categories but better align with that reporting regime while maintaining SEC fee reporting categories.
As proposed, the Board has not adjusted the Form 2 reporting period to align with the Form FM reporting period or otherwise.
Lastly, the Board has not adopted a materiality or de minimis threshold in connection with the obligation to amend forms to correct information that was incorrect at the time the report was filed or to provide information that was omitted from the report and was required to be provided at the time the report was filed. Historically, the Board has not established, and has not found necessary, materiality or de minimis thresholds in connection with form amendments. The Board believes that implementing a materiality or de minimis threshold would introduce unnecessary complexity and uncertainty to the form amendment process and, further, would potentially threaten, or be perceived to threaten, the accuracy and reliability of reported information, thereby undermining the intended purpose of the amendments. The Board notes that rounding and reasonable estimates are permitted in connection with fee reporting. There is no expectation that differences in reported amounts within the rounding threshold, or differences between actual and estimated amounts, would require amending the form to correct reported amounts.
2. Financial Statements
[top] In addition to enhanced fee information, the Board proposed to require that the largest firms provide financial statements to the PCAOB annually on a confidential basis. The Board proposed to define the largest firms as those that issued more than 200 reports for issuer audit clients and had more than 1,000 personnel during the relevant reporting period. 89 The Board
Footnotes:
89 ?The number of firm personnel is currently reported in Item 6.1 of Form 2 and information regarding audit reports for issuers is currently reported in Item 4.1 of Form 2. As of December 31, 2023, the registered firms that meet such criteria audit issuers that possess a combined market capitalization of $62.19 trillion, which represents 99.82% of the total market capitalization of all issuers audited by registered firms.
90 ?The firms that would currently meet this threshold are U.S. firms; therefore, the applicable financial reporting framework would be U.S. GAAP.
Further, the Board did not propose public reporting of financial statements. The Board did propose, however, to modify the Annual Report Form to include a checkbox for the largest firms to indicate they have submitted financial statements confidentially to the PCAOB.
As discussed in more detail in the proposal, the Board believes requiring financial statements from the largest firms will enhance the PCAOB's oversight and monitoring of these firms and the audit market. This information will help the PCAOB better understand a registered firm's audit practice, the relationship of its audit practice to its overall business, and the overall financial stability of a firm. An assessment of audit firm resources will enable the Board to understand a firm's capacity to withstand risks associated with events such as a firm's break-up, court judgments against the firm, or threats to global networks or other affiliates that may require the firm's support. The financial statement information will inform the PCAOB's inspection function by providing a baseline understanding of a firm's operations, the resources devoted to its audit practice, and its focus and incentives. Further, financial information will inform overall economic and risk analysis, including as it relates to analysis performed to support standard-setting, inspections, and enforcement activities, and the Board's overall oversight.
Finally, the Board explained in the proposal that requiring this information to be presented in accordance with an applicable financial reporting framework will increase the usefulness of this information to the PCAOB by facilitating analysis and comparison across firms and ensuring the information is presented completely and in an accessible manner.
General Comments
Some commenters supported the proposed financial statement requirement generally, noting its consistency with the ACAP recommendation. These commenters also supported requiring financial statements to be public and audited, citing prior IAG discussions and the ACAP recommendation, and stating auditing firms in the UK have publicly issued annual reports containing audited financial statements for a dozen years. These commenters stated that investors would find aspects of audited financial statements and related footnotes useful when making proxy voting decisions or exercising oversight responsibilities over public company audit committees. They also stated that aspects of the independent auditor's report would provide useful information to investors when making proxy voting decisions or exercising oversight responsibility over public company audit committees.
Some commenters opposed any auditing requirement. Others supported maintaining the confidentiality of financial statements, including suggesting that disclosure of confidential financial information could expose firms to competitive and other risks. One commenter suggested that public reporting of financial statements could mislead the public into believing that all areas of the audit firm's business are subject to PCAOB oversight.
Others opposed the financial statement requirement generally and raised questions regarding the value of the reported information to the PCAOB, including stating that the proposal does not identify specific actions the Board would take, or could take within its authority, if it identified solvency-related information and asking for more clarity on how the Board would use the information, questioning how the information would improve audit quality and safeguard investors, and noting that the PCAOB has access to financial statement information through the inspection process. One commenter stated that there would be few firms that would qualify for the financial statement requirement and they would be submitted confidentially; therefore usefulness and benefits of the data would be limited but still involve tremendous cost. Some commenters questioned whether the requirement is within the Board's authority, with one specifically noting the requirement to delineate financial statements by service line and stating the proposal is in conflict with the Board's Rule 2400 proposal.
The Board has adopted the proposed financial statement reporting requirement with modifications. For the reasons noted in the proposal, the Board continues to believe that requiring the largest firms to report financial statements to the PCAOB annually will enhance PCAOB oversight of these firms. As commenters observed, the PCAOB can collect, and at times (including at present) has collected, financial statements from larger firms through its inspection function. However, the financial statements have not been provided in a consistent and readily comparable form when collected in the inspections context. The Board continues to believe that financial statements are useful in the inspection context to broadly understand the firm's business and allocation of resources, and further believes that the utility will be enhanced by the increased standardization and consistency that will result from formalizing the collection of financial statements through a reporting requirement. For example, more standardized reporting of financial information will better enable the Board to understand the allocation of resources to a firm's audit practice, including changes in resources available from year to year. As another example, reliable year-over-year collection of financial statements will increase their usefulness in producing research to inform standard-setting and rulemaking. In addition, having more standardized financial statements on hand will assist the Board in understanding a firm's ability to withstand potential solvency threatening events reported under other provisions of the final rules.
[top] The Board agrees with commenters that confidential collection of financial statements is appropriate at this time. The Board acknowledges investor comments that aspects of financial statements may be useful to them in exercising voting and oversight responsibilities but, at present, continues to believe it does not have sufficient information regarding what
Footnotes:
91 ? See Form 2, Part X.
Lastly, the commenters generally agreed with the proposal not to define a firm's fiscal year for purposes of the financial statement requirement. As proposed and consistent with comments received, the Board has not defined a fiscal year in connection with this requirement.
Comments on GAAP/IFRS
Some commenters supported the proposal to require financial statements to be reported in accordance with an applicable financial reporting framework, i.e., GAAP or IFRS. Other commenters opposed the GAAP requirement, or expressed concerns, stating that it should not be necessary to achieve the Board's objectives, and the Board does not have a regulatory need for comparability, and questioned how the information would be useful to the Board. Others stated that comparability would be hindered including due to differences in firm structures. Some commenters stated that any additional information should be collected through the inspection process which would permit dialogue or follow-up requests.
Some commenters noted that most firms do not prepare GAAP financial statements. Commenters also noted in connection with this requirement that firm business models and structures vary, reporting per an applicable financial reporting framework would not serve a business purpose for the firm, and firms would incur significant costs to prepare GAAP financial statements, with one commenter noting smaller firms would find the requirement particularly burdensome. One commenter stated that GAAP financial statements may require consolidation of subsidiaries, which could include international businesses and other service lines, which may include more information than intended by the proposed requirement. Another commenter stated that firms as privately held entities should have flexibility to provide financial statements in the form used by firm management. One commenter stated that its audit practice is a small part of its overall business and therefore its financial statements would predominantly not relate to its audit practice.
A commenter noted that the proposed reporting by business line will create additional cost. Another commenter noted the need to clarify the delineation of statements by business line, noting that GAAP may or may not require such a delineation. Other commenters stated that to reconcile non-conforming financial statements to the applicable financial reporting framework during the proposed transition period would essentially require firms to do GAAP during that period.
The Board has not adopted the requirement to report financial statements in accordance with an applicable financial reporting framework. As discussed in greater detail in Section D, the Board understands that preparing financial statements in accordance with GAAP will entail costs and that firms do not necessarily have a business purpose for the preparation of such financial statements. However, the Board continues to believe that standardizing to some degree the form in which financial statements are reported will enhance the Board's oversight, both with respect to the current use of financial statements in the inspections context and for broader regulatory purposes that more standardized reporting may enable, including to inform policy research. However, the Board is persuaded that it can achieve a useful degree of standardization without mandating reporting in conformity with GAAP. Accordingly, the Board has adopted the rule without language requiring reporting in conformity with an applicable financial reporting framework.
The Board has retained the requirement that reported financial statements should include a balance sheet, income statement, cash flow statement, and notes to the financial statements for the entity registered with the Board. The Board believes it is useful to set forth the basic components that should be included in the financial statements for clarity. The Board has also retained the requirement that financial statements should delineate by service line ( i.e., audit services, other accounting services, tax services, and non-audit services). 92 This delineation is consistent with the Board's historical rationale for requiring fees to be reported for these categories, namely to understand the audit practice in context with the firm's other lines of business. However, the Board has specified that the delineation by service line should include, at a minimum, delineation by service line of revenue and operating income. With respect to revenue, given the current Form 2 requirements for fee reporting with respect to these four service lines, and based on the staff's oversight experience, the Board believes firms should already be delineating fees in this manner. Narrowing this requirement to revenue and operating income-instead of leaving the requirement broadly applicable to all aspects of the financial statements or as compared to GAAP segment reporting-should clarify the requirement and ease implementation costs.
Footnotes:
92 ?The proposed rule indicated that financial statements should delineate by service line ( i.e., audit services, other accounting services, tax services, and non-audit services subject to PCAOB oversight). The Board has clarified in the final amendments that it means audit services, other accounting services, tax services, and non-audit services as those terms are defined in the Board's rules.
[top] To achieve a further degree of standardization and, in turn, help ensure the financial statements improve PCAOB oversight, the Board has added language to require that financial statements should be prepared on an accrual basis. Additionally, the Board has included language to require reporting of significant ownership interests, private equity investments, unfunded pension liabilities, and related party transactions, including those with other members of a global network. 93 The Board believes specifying accrual basis of accounting (1) should help ensure that the staff has access to audit firm financial information that may impact the audit practice ( e.g., accrued compensation and benefits, post-retirement medical benefits, distributions to former partners, accounts payable, long-term debt and notes payable, reserves for claims, taxes, advance payments from clients, lease obligations, related party obligations, and other expenses
Footnotes:
93 ?The Board notes that it is declining at this time to promulgate a more comprehensive framework for financial reporting by audit firms in favor of these minimum specifications.
94 ?The Board notes that GAAP/IFRS financial statements are accrual basis and the comments on that aspect of the proposal did not specify that accrual basis in particular would be problematic or costly. Indeed, a commenter stated that financial statements prepared on a non-GAAP or modified GAAP basis using accrual accounting reflect the way firms run their businesses and are therefore more appropriate and useful for the PCAOB.
95 ?The Board believes the additional specified information is of the type that would be called for by GAAP. See, e.g., ASC 810 and ASC 850.
The Board believes these modifications balance the need for some degree of standardization in order to improve staff oversight with the costs to firms that conformity to GAAP/IFRS would have entailed.
In further consideration of comments regarding costs, the Board continues to believe it is appropriate to confine this requirement to the largest audit firms, which are better able to bear costs. Accordingly, the Board has adopted the large firm threshold substantially as proposed. The Board has modified the language codifying the threshold to clarify that it depends on the number of issuers for which a firm has issued audit reports, i.e., the requirement applies to a registered public accounting firm that issued audit reports for more than 200 issuers and had more than 1,000 personnel during the preceding Form 2 reporting period, rather than a firm that has issued more than 200 audit reports. This better aligns with information reported on Form 2.
Because the Board has not adopted the GAAP/IFRS requirement (and therefore are not adopting segment reporting requirements or interim requirements to reconcile non-conforming information) the Board has not further addressed comments regarding tension between GAAP segment reporting and reporting by service line, or comments regarding the requirement to reconcile non-conforming information during the transition period.
Comments on Authority
Some commenters suggested that requiring GAAP financial statements exceeded the PCAOB's authority. Specifically, for example, a commenter stated that it questioned the authority and rationale behind requiring firms to change their basis of financial reporting when many use (and may be required to use, pursuant to partnership agreements or other obligations such as bank covenants and related arrangements) another framework to manage and report on their business operations. The Board thinks comments of this nature are mooted to a significant degree by removing the requirement to report in conformity with an applicable financial reporting framework. In addition to the above-referenced general response regarding authority for these reporting requirements, the Board notes that it is not purporting to dictate anything regarding the financial reporting that a firm engages in for business and other purposes. The exclusive purpose of the reporting requirement is to set forth some minimum requirements for reporting to the PCAOB that will enhance the PCAOB's oversight as it relates to the firm's conduct of audits and the Board's objective of understanding the firm's audit practice in relation to the conduct of its overall business.
Governance Information
The Annual Report Form currently requires firms to identify the legal name of the firm, contact information for the firm, and a primary contact person for the Board. In recent years, regulatory requirements, investor demands, and market practices have come to reflect a consensus around the importance of governance information to investors and audit committees. For example, IOSCO, after extensive study and outreach, published a guidance document for audit firm transparency reporting in which it specified including a description of the firm's legal, ownership, and governance structure. 96 One disclosure guide for transparency and audit quality reporting notes the direct relationship between firm leadership and governance on the one hand, and audit quality on the other, identifying governance and leadership as a component of audit quality. 97 Transparency regulations in other jurisdictions require firms to publish certain governance information. 98 The prevalence of such information in mandatory and voluntary transparency frameworks reflects its fundamental importance to understanding and assessing an audit firm and its ability to deliver audit services. Importantly, however, voluntary transparency reports have not resolved the present opacity with respect to audit firm structure, governance, and operations. The Board believes it can mitigate the lack of transparency through enhanced governance reporting requirements, which will also increase standardization of the information available.
Footnotes:
96 ?IOSCO, Transparency of Firms.
97 ?CAQ, Audit Quality Disclosure Framework (June 2023), at 8.
98 ? See, e.g., Regulation (EU) No 537/2014 at Article 13.
Accordingly, the Board proposed to amend Form 2 to create new Item 1.4 to identify the following enhanced governance-related information, as rendered in the proposing release:
• the principal executive officer and all direct reports to that officer, including names and titles;? 99
Footnotes:
99 ?Direct reports to the principal executive officer should not be understood to include administrative staff.
• the individuals who are responsible for various components of the QC system (outlined in QC 1000, A Firm's System of Quality Control ), including the individual(s) with ultimate accountability for the QC system as a whole;
• whether the firm has a governing board or management committees to which the principal executive officer reports and, if so, the identity of the members of that board or committee;
• the executive officer(s) who oversee(s) the firm's audit practice;
• whether the firm has an external oversight function for the audit practice composed of one or more persons who are not a partner, shareholder, member, other principal, or employee of the firm and does not otherwise have a commercial, familial, or other relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system and, if so, the identity of the person or persons and an explanation for the basis of the firm's determination that each such person is independent (including the criteria used for such determination) and the nature and scope of each such person's responsibilities (within this release, such persons who meet the outlined criteria are referred to as the firm's "External QC Function (EQCF)");? 100 and
Footnotes:
100 ?See A Firm's System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms, PCAOB Release No. 2022-006 (Nov. 18, 2022), at 97.
[top] • a description of the legal structure, ownership, and governance of the firm, including processes that would govern a change in the form of the organization ( e.g., what are the relevant governing bodies, voting rights, and approval requirements relevant to such an organizational change). In addition, the proposal would revise the form to specify that a firm should identify any change in the applicant's form of
With respect to the disclosure of the role of the EQCF within the audit oversight function, as proposed, the firm would have been obligated to report if such a role exists, and the name of any person occupying that role. 101 As proposed, in the event the firm reported one or more persons occupying the EQCF on Form 2, the firm would also have been required to report on Form 3 when such a person is appointed, resigns, is dismissed, ceases to meet the criteria to serve in the EQCF, or changes roles, the date of such event, and whether the change was recommended or approved by any governing board or management committee.
Footnotes:
101 ?The Board proposed that the name of the proposed EQCF and QC operational roles be subject to assertions of a conflict of laws by non-US registered firms. The Board thinks the name of the EQCF and QC operational roles are distinguishable from other names called for by this section insofar as this name or names may not already be public in connection with this role.
General Comments
Some commenters supported the proposed governance requirements, noting that they agreed that voluntary transparency reports have not resolved the present opacity with respect to audit firm structure, governance, and operations, and the amendments could mitigate the lack of transparency through enhanced governance reporting requirements, which would also increase standardization of the information available. Those commenters further stated they agreed that, among other things, enhanced governance information would allow investors, audit committees, and other stakeholders to better understand the practices of firms and differentiate among firms with respect to, for example, leadership, oversight of the audit practice, oversight of auditor independence practices, and board of directors composition, including independence of directors, and that requiring this information through a reporting requirement would increase the standardization, and therefore comparability, of information available to investors, audit committees, other stakeholders, and the PCAOB. Another commenter stated that the governance information may be useful to audit committees as they make auditor selection and retention decisions.
One commenter stated that, while it had reservations, it agreed with the Board's overall objective to obtain information regarding audit firm governance to help investors, audit committees, and other stakeholders better understand firm processes and priorities, and to bolster the PCAOB's oversight of registered firms. Another commenter, which also had reservations, noted that the proposed requirements would provide the PCAOB, investors, and other stakeholders a view as to how a firm is structured.
One commenter, while expressing other reservations, agreed that audit quality is linked to strong firm leadership and governance. Another commenter stated that the governance requirements may improve audit quality by helping audit committees in their decision-making and incentivizing firms to improve governance mechanisms, while at the same time noting uncertainty about whether the requirement necessarily will improve audit quality or whether any improvements would be meaningful or consequential. This commenter noted the particular relevance of legal, ownership, and governance structure since some firms are beginning to explore alternative structures including employee stock ownership and private equity investments, and recommended including a specific requirement to identify voting rights and other restrictions resulting from private equity investments.
Other commenters opposed and/or questioned the usefulness of the proposed requirements:
• One commenter stated that the proposal did not clearly articulate how the Board's proposed requirement would meet its objective due to the duplicative nature of the disclosure requirements and the availability of the information through alternative means.
• Another commenter objected overall to the governance reporting requirements because it would include operational details of audit firms that would not incrementally help stakeholders assess a firm or its ability to deliver audit services.
• Another noted that it was unclear how the array of information from all firms would be useful to stakeholders in assessing a firm and its ability to deliver audit services.
• Other commenters generally questioned the usefulness of the proposed items for investors or other stakeholders and/or how they would use this information.
• A commenter stated that audit committees in their capacity of overseeing the governance of auditors would be able to request and secure whatever information they determine necessary to assess an audit firm and its ability to deliver its services.
• One commenter questioned whether naming the individuals involved in an audit firm's governance will provide any meaningful benefit. This commenter also noted that users of this information would presumably have to perform other research on each person in order to realize any benefit. Another commenter stated it is unclear what purpose reporting all direct reports to the principal executive officer would serve. Another commenter noted the potential for misinterpretation of certain elements, specifically highlighting difficulties interpreting the requirement to report all direct reports to the principal executive officer. Another commenter noted direct reports to the principal executive officer may not be publicly available information. Another commenter recommended striking the requirement to include all direct reports.
• On the other hand, another commenter stated that by providing the names of the individuals, it will be evidence that someone has been assigned to each role and, by comparing to prior periods, whether there has been turnover in these positions.
• Several commenters stated that there are certain elements of the proposed governance reporting requirements that would mandate disclosure of granular operational details for which the Board has provided no evidence either of utility or decision-usefulness; these include the principle executive officer, the names of the individuals in the roles described in paragraph .12 of QC 1000 and the processes that would govern a change in the form of the organization.
• One commenter stated that it found reporting of the process that would govern a change in the form of organization to be too detailed and, in some cases, these processes are fluid and could evolve quickly as the change is occurring. A commenter noted that a description of the processes governing a change in the form of the organization can be complex and difficult to understand without significant context and recommended striking the change in governance requirement.
• Commenters noted the availability of governance information to the PCAOB through the inspection process or other avenues.
• Commenters stated that similar governance information is available in transparency reports. Other commenters highlighted that they provided similar information in their transparency reports.
[top] • A commenter stated that ownership-particularly percentages-
One commenter stated that it found this proposed requirement burdensome and excessive, particularly when considering that firms operate in a dynamic environment and may alter their structures and change personnel on a frequent basis. That same commenter stated that the proposed requirements included excessive granularity and may require significant context to be understood. Another commenter stated that the requirement to provide description of the legal structure, ownership, and governance of the firm, including processes that would govern a change in the form of the organization ( e.g., what are the relevant governing bodies, voting rights and approval requirements relevant to such an organizational change) was the type of information included in a partnership agreement, questioned why such information should be made public, and stated that it is unclear how stakeholders would use such information.
One commenter suggested that static, form-based reporting regarding governance would not result in meaningful transparency for investors and other stakeholders, and that governance reporting should be formulated to advance the ability of stakeholders (including investors and audit committees) to gain a holistic understanding of a firm's approach to audit quality through the eyes of the firm's leadership. A commenter recommended, if the Board moved forward with this requirement, that it streamline the requirement to focus on the most relevant information, in order to avoid duplication or overlap with other requirements, which could cause confusion to stakeholders. That commenter specifically recommended that the Board adopt a more general requirement to describe a firm's governance structure, including as it relates to the audit practice and system of quality management, without specifically requiring some of the more prescriptive elements of the proposal, stating that a more principles-based requirement is more likely to be informative to stakeholders because the disclosure would require firms to describe relevant parts of their own governance, rather than structuring their disclosure around very specific requirements that could be more relevant to some firms than others; such an approach that is less prescriptive would recognize that firm governance structures vary. A commenter recommended allowing firms to incorporate their transparency reports by reference to reduce cost and burden.
The Board continues to believe that requiring standardized reporting of specified governance information will provide useful information to investors, audit committees and the PCAOB. Investor comments on the proposal support the contention that the governance reporting requirements will provide meaningfully decision-useful information to them. With respect to audit committees, the Board agrees that audit committees can request specified information from firms. However, the standardized reporting of governance information would provide information across firms to facilitate comparison. The standardized provision of this information will not impede audit committees from requesting bespoke information from audit firms, nor from engaging with firms however they choose. The Board will likewise benefit from standardized information via a reporting requirement, notwithstanding the staff's ability to request specified information through the inspection process. For example, having increased and more standardized information will increase the efficient use of inspection resources by reducing supplemental or ad hoc requests.
While certain governance information may be available for certain firms through, for example, transparency reports, as discussed in the proposal, the Board continues to believe voluntary transparency reporting has not adequately mitigated opacity with respect to audit firm governance. Such reporting is inconsistent from year to year, from firm to firm, and, for many firms, simply not available. Mandatory reporting of specified governance information will increase the consistency and comparability of information available to all stakeholders. Allowing firms to substitute voluntary transparency reports for specified reporting on Form 2 would be inconsistent with this objective. Permitting firms to link to voluntary transparency reporting through a PCAOB form may create a misimpression regarding the reliability of such information.
With respect to suggestions to take a more principles-based approach, the final amendments provide for narrative governance disclosures, which balances the need for sufficiently prescriptive requirements to promote standardization and comparability with the need for flexibility to provide context and account for varying firm structures.
In consideration of comments and to better achieve the Board's regulatory objectives, the Board has modified certain elements of the amendments to better tailor the requirements and ease implementation. First, the Board has eliminated the requirement to report all direct reports to the principal executive officer to mitigate any issues regarding the disclosure of personal identifying information for individuals whose names and positions may not otherwise be publicly disclosed and whose positions may not be sufficiently germane to the audit practice to merit public reporting. The final amendments retain the requirement to disclose the principal executive officer, the executive or executives who oversee the firm's audit practice, and the QC roles (as described below), as the Board thinks these roles are sufficiently important to the audit practice and sufficiently likely to be public (except as noted below). The Board has also retained the requirement to disclose whether the firm has a governing board or management committees to which the principal executive officer reports and, if so, the identity of the members of that board or committee. The Board believes such positions are of sufficient seniority to likely be public and that such information is important to understanding overall firm governance. Second, the Board has eliminated the requirement to provide a description of the processes that would govern a change in the form of organization, as the Board intends the requirement to provide higher level governance information and is mindful that this provision may introduce more complexity than intended. Striking this provision also increases consistency with the EU directive requirements.
QC Comments
The Board received comments specific to the proposed reporting of QC roles. Some commenters supported reporting of some or all of the proposed QC roles. One commenter supported disclosure, at least for some firms in some form, of certain QC roles including the principal executive officer (as the individual with ultimate responsibility and accountability for the firm's system of QC as a whole) and the individual assigned operational responsibility and accountability for the system of QC as a whole. At the same time this commenter objected to the proposed disclosure of the EQCF or any similar role.
[top] Some commenters noted that certain disclosures, such as those related to individuals with ultimate accountability for the QC system, overlap with roles to be reported under QC 1000 and recommended eliminating duplication
Another commenter observed that the proposal would require a firm to disclose whether it has an independent oversight function for the audit practice, while the newly adopted QC 1000, A Firm's System of Quality Control, would require only some firms to have an EQCF; the commenter stated that this could cause confusion among stakeholders who do not understand the difference in requirements for an EQCF between firms. Another recommended clarifying the Board's use of the term "independent oversight function" and qualifying the description of such a function with the term "brief."
The Board has retained the requirement to disclose the QC roles, including both the operational roles specified in paragraph.12 of QC 1000 and the EQCF roles. The duplication between these disclosure requirements and the requirement to report these roles on Form QC was intentional. While the Board ultimately concluded that Form QC as a whole should be non-public, that did not represent a line-by-line determination that every item to be reported on Form QC must be confidential. 102 Certain considerations that militated in favor of the non-public nature of Form QC, including concerns that Form QC could include information protected from publication by Sarbanes-Oxley, do not apply to the disclosure of the individuals fulfilling these roles. The Board believes that the QC system, and these roles within the QC system, are sufficiently important to a firm's governance, and are directly and importantly related to the firm's conduct of audits, to warrant public disclosure of the QC roles. Moreover, the Board does not believe the reporting of a small number of names is overly burdensome, notwithstanding that firms have to report the names on Form QC (on a non-public basis) and on Form 2 (on a public basis). 103
Footnotes:
102 ? See PCAOB Rel. 2024-005, at 265-270.
103 ?Consistent with the proposal, the Board has allowed assertions of conflicts of laws with respect to these QC-specific roles. The Board believes they differ from other reported names, for which it is not allowing assertions of conflicts, because they may not be as senior or otherwise publicly reported.
With respect to the comments regarding internal duplication with Item 1.4, the Board acknowledges that the proposed requirement to report the roles and responsibilities described in paragraph .11 of QC 1000 (individual assigned ultimate responsibility and accountability for the QC system) was duplicative of the requirement to report the principal executive officer (who would have ultimate responsibility and accountability for the QC system). The Board therefore has struck the specific reference to paragraph .11 in Item 1.4e (while retaining the reference to paragraph .12 of QC 1000, which describes the QC operational roles). Lastly, the Board has modified Item 1.4.f related to the QC oversight function to conform to the language in paragraph .28 of QC 1000, to clarify that the reporting obligation is meant to capture the EQCF role as described in QC 1000.
The Board has added a note to the form including a reference to paragraph .28 of QC 1000 (setting forth the EQCF requirement) and clarifying that this disclosure applies both to firms required to have such a role under QC 1000 and to firms that otherwise have a role that meets the definition in Item 1.4.f. The reporting requirement will permit sufficient narrative disclosure for a firm to provide context regarding the nature of the firm's EQCF, including whether it has created the role in response to QC 1000.28 or otherwise.
With respect to any difference in reporting periods between Form QC and Form 2, Form 2 provides that information provided in Part I of the form, which would include Item 1.4, should be current as of the date of the certification of Form 2. Firms should abide by that instruction. Any disparity between information reported on Form 2 and on Form QC with respect to operational roles due to differing reporting periods should not cause confusion for users of Form 2 given the non-public nature of Form QC.
Finally, the Board proposed that the names of the individuals occupying QC roles be subject to assertions of a conflict of laws by foreign registered firms. The Board continues to think the names of these individuals are distinguishable from other names called for by this section insofar as they may not already be public in connection with these roles and could foreseeably be subject to a non-U.S law prohibiting the disclosure of personal data. Therefore, the Board has adopted provisions to permit assertions of conflicts of laws as proposed.
Other Comments
One commenter recommended that the Board, to the extent it includes the proposed items on an amended form, provide text boxes for each response with at least 2000 characters to allow firms to provide any necessary explanation and context for the information disclosed. The Board does not think each subpart of Item 1.4, such as those calling for a name or names, would merit 2000 characters. However, for those items that ask for a description, namely Items 1.4d and 1.4f, the Board agrees a more extended character count is warranted.
Other commenters recommended further study or reconsidering the necessity of the governance reporting and assessing whether the proposed information would directly contribute to audit quality. The Board believes its experience and the notice and comment process have provided an appropriate opportunity to consider the merits of the proposal and, further, that the Board and others will be in a better position to assess the effects of the reporting requirements after the reporting is implemented.
Network Information
[top] The Annual Report Form currently requires firms to identify whether they are a part of certain networks, arrangements, alliances, partnerships, or associations and, if so, to identify them and provide a description of those relationships. 104 In conceiving this reporting requirement, the Board noted that it intended to identify arrangements that "afford[?] the firm access to resources for use in issuer audits, including procedures, manuals, or personnel."? 105 The Board continues to believe that reporting regarding network arrangements that affect the resources, financial or otherwise, available to firms in the performance of audits is important to investors, audit committees, and others in their evaluations of audit firms and audit quality. However, the current network-related requirement asks only for "a
Footnotes:
104 ? See Form 2, Item 5.2.
105 ? See PCAOB Rel. No. 2008-004, at 10.
Network arrangements have provided members with benefits that research has found may affect audit quality. 106 As the largest four accounting firms, which have network arrangements, still provide audits to the majority of publicly held companies, it also follows that most public company audits are conducted by firms with network affiliations. Currently, while the PCAOB receives information regarding member firms within a network, the Board does not require significant information about how the network interacts with and supports member firms in the conduct of audits.
Footnotes:
106 ? See, e.g., Kenneth L. Bills, Lauren M. Cunningham, and Linda A. Myers, Small Audit Firm Membership in Associations, Networks, and Alliances: Implications for Audit Quality and Audit Fees, 91 The Accounting Review 767 (2016) (finding that specialized expertise, solutions to staffing and geographic limitations, and technical trainings are among the benefits that contribute to improved audits performed by smaller firms).
Accordingly, the Board proposed to amend Form 2, Item 5.2 to require a more detailed description of the network arrangement, including describing the legal and ownership structure of the network, network-related financial arrangements of the registered firm ( e.g., loans and funding arrangements to or from the network member firm), information-sharing arrangements between the registered firm and the network (including both sharing of such information as training materials, audit methodologies, etc. and sharing of audit client information), and network governing boards or individuals to which the registered firm may be accountable. The Board notes it would expect firms to indicate specifically whether they have outstanding loan and/or funding arrangements with their networks, in addition to noting whether such arrangements are permissible under their network arrangements.
General Comments
Some commenters supported the expanded network-related requirement generally. Other commenters opposed the network-related requirement. Some commenters questioned the usefulness of the proposed network requirements, including stating the following:
• It is unclear how the PCAOB would use the information.
• The PCAOB already has access to network-related information.
• It is unclear how this information would inform stakeholder decision-making.
• The network information may be misused or misinterpreted and could cause confusion.
• It is unclear how users could form conclusions about quality from the information to be provided.
• An individual member firm may not be privy to all network information that the PCAOB proposes to obtain.
Some commenters expressed concerns that certain information called for by the proposed requirement was too sensitive and subject to misinterpretation for public disclosure:
• Commenters stated that certain information, including network financial arrangements and legal structures, is confidential, proprietary, or sensitive and registered firms are not necessarily permitted to share such information, and/or the required disclosures are contrary to the Board's obligations under Sarbanes-Oxley. A number of firms stated the information should be collected only confidentially.
• A commenter stated its strong opposition to the network-related financial obligations of the registered firm or the governing boards or individuals to which the registered entity may be accountable, noting that such information is likely to be complex and potentially subject to misinterpretation without sufficient context. This commenter also stated this information may raise legal and financial risks for firms, threatening audit quality; for example, information regarding ordinary course financial arrangements has a risk of misinterpretation without sufficient context, including a misinterpretation that a firm is at risk of failure.
• A commenter stated the legal and ownership structure, network-related financial obligations, and how audit client information may be shared are complex matters that should be confidential, risk being misunderstood by stakeholders who do not have the benefit of two-way dialogue with the firm, and are better suited to the inspection process. This commenter also noted the complex and varying nature of network arrangements and that the disclosures could lead to unintended legal and financial consequences. Finally, the commenter questioned whether users of Form 2 will draw inferences about audit quality based only on the firm's membership in a network.
• One commenter stated that disclosure of funding or loan arrangements may have the unintended consequence of causing a misinformed loss of confidence in a member firm. Another firm stated the network disclosures could put some firms at a competitive disadvantage.
A commenter stated that the proposed requirement wrongly focuses on financial strength and suggested revising the requirement to focus on audit methodology, staff training, and quality control, including the following:
• Whether the network has a common audit methodology that is used by all member firms.
• Whether auditors throughout the network receive the same or similar training.
• Whether the network establishes minimum quality control policies and procedures that are implemented by each member firm.
• Whether the network conducts periodic inspections of its member firms and, if so, the frequency of those inspections and the extent to which the results of inspections are disseminated throughout the network.
• How the information about each member firm's clients is communicated across the network to facilitate compliance with the independence rules.
A commenter, while opposing the overall requirement, stated that certain elements seem more likely to be relevant to stakeholders and would be less costly to produce, including high-level information about the legal and ownership structure of the network and information-sharing arrangements between the registered firm and the network. One commenter stated that proposed disclosures related to network-related financial obligations and information-sharing arrangements between the registered firm and the network are ambiguous and do not include quantitative or qualitative limiting factors, and are not subject to a materiality threshold, thus potentially requiring firms to disclose even nominal arrangements within a network. This commenter stated that the Board expand the amount of space for firms to provide disclosure about the networks on Form 2 to allow more complete descriptions, but remove (or afford both a materiality threshold for, and a confidentiality protection to) the proposed specific requirements that may expose financial or other confidential or competitive business information.
[top] Some commenters questioned whether the Board's comparability objective would be achieved by the proposed requirements, with one commenter stating that the network-related requirements would not provide comparability benefits, given the wide variety in network structures among
The Board continues to believe, as discussed more fully in the proposal, that it is important for investors and audit committees to have access to comparable information regarding the resources a registered firm may have to conduct audit engagements and in connection with other aspects of its audit practice, such as training resources. To the extent that network arrangements may affect access to such resources, enhanced reporting regarding these aspects of a network arrangement would inform stakeholders' evaluation of the registered firm and its audit practice. Requiring greater specificity with respect to network information should reduce the likelihood of boilerplate disclosures and increase the usefulness to all stakeholders. The Board also continues to believe that requiring this information through a reporting requirement would increase the standardization, and therefore comparability, of information collected, which would benefit all users of this information.
Further, the Board continues to believe enhanced network reporting would inform the PCAOB's regulatory function. It would provide a baseline understanding of how the network arrangement influences the firm's governance and accountability, including oversight of its audit practice, and access to resources. Having this information available to the Board via reporting will inform the Board's scoping and planning of inspections.
In consideration of comments, however, the Board has modified the requirement to focus on the registered entity and the aspects of its relationship with the network that it believes most directly relate to the conduct of audits. Accordingly, instead of asking for the legal and ownership structure of the network, network-related financial obligations of the registered firm, information-sharing arrangements between the registered firm and the network, and network governing boards or individuals to which the registered entity may be accountable, the final amendments ask the firm to provide a brief description of the network relationship, i.e., describing at a high level the network structure and the relationship of the registered firm to the network, including whether the registered firm has access to resources such as firm methodologies and training, whether the firm shares information with the network regarding its audits, whether the firm is subject to inspection by the network, and any other information the registered entity considers relevant to understanding how the network relationship relates to its conduct of audits.
The Board believes these modifications should simplify the requirement. They should also eliminate or sufficiently mitigate risks identified by commenters, especially those associated with financial obligations, and focus the requirement on aspects of the network relationship most likely to influence the firm's conduct of audits. The Board further believes these modifications clarify that the requirement is not intended to elicit proprietary, sensitive, or confidential information. Rather the requirement is intended to increase the availability and the standardization of information that many firms in networks already provide. The Board notes further that the firm is free to provide whatever information it believes is necessary to contextualize the required information. In this regard, the Board acknowledges that the narrative disclosure required will not achieve perfect standardization or comparability. Nevertheless, compared to voluntary disclosure, where some firms do not provide such information and the firms that do provide network information are free from any parameters for disclosure, the Board believes that the required reporting should provide greater standardization and comparability than is currently available.
Comments on Interpretation
A commenter stated that it is not clear what is meant by the word "accountable" in Item 5.2.b's requirement to disclose "network governing boards or individuals to which the registered entity may be accountable." A commenter stated that consistent with guidance in the final release on Form AP, the PCAOB should also clarify that by "network" arrangements, the proposal is not referring to subsidiaries of the registered firm, other entities controlled by the registered firm issuing the audit report, or other non-accounting firm affiliates ( e.g., related entities with the registered firm that provide tax, valuation, or other assistance to the registered firm as part of the audit) whose work on audits would be supervised by and recorded in the working papers of the registered firm. A commenter encouraged the Board to further define the existing terms and how the Board expects firms to report the information. One commenter requested clarity around what is meant by requesting the 'ownership structure of the network.'
In consideration of comments, the Board notes that Form 2 currently requires firms to state whether the firm has any:
1. Membership or affiliation in or with any network, arrangement, alliance, partnership or association that licenses or authorizes audit procedures or manuals or related materials, or the use of a name in connection with the provision of audit services or accounting services;
2. Membership or affiliation in or with any network, arrangement, alliance, partnership or association that markets or sells audit services or through which joint audit s are conducted; or
3. Arrangement, whether by contract or otherwise, with another entity through or from which the Firm employs or leases personnel to perform audit services.
The network reporting requirement, currently and under the final amendments, applies if the firm answers affirmatively in response to any of the described arrangements. The Board believes that these descriptions of what constitutes a network or other relationship are sufficiently specific. The Board is not aware that interpretive difficulties related to these provisions have arisen previously. Moreover, because of the modified requirement, which no longer contains terms commenters requested clarity on, the Board does not believe that further clarification is warranted.
Comments on Authority
Commenters stated that the network is not registered and requiring reporting regarding non-registered entities may be beyond the scope of the PCAOB's authority. The Board continues to believe that it is squarely within the Board's authority to request information about aspects of network relationships that may influence the conduct of audits for the reasons noted above and in the proposal. The purpose of required network reporting has not historically been, nor is it now, to purport to regulate networks or other unregistered entities. Further, the Board believes that the modifications to this provision clarify the Board's focus on the registered entity itself.
Comments on Scaled Requirements
[top] The Board also solicited comment on whether the network-related requirements should be scaled in some fashion. A commenter stated that networks of many smaller firms are not a significant factor in those firms'
Special Reporting
1. Special Reporting Timeframe
The Special Reporting Form currently imposes a 30-day reporting requirement for certain specified events. When the Board originally conceived its special reporting requirements through Form 3, it provided that the specified special reporting events were "potentially of some immediate concern to the Board"? 107 and that "the public interest, as well as the ability to consider whether prompt action is warranted by the Board's inspection staff or enforcement staff, would be served by contemporaneous reporting of the event."? 108 The Board continues to believe that contemporaneous reporting of specified events serves both the Board's regulatory function and the public interest. In the proposal, the Board considered changes in the information environment in the over 15 years since the Board adopted the 30-day reporting deadline and concluded that more prompt special reporting is practicable and warranted.
Footnotes:
107 ?PCAOB Rel. No. 2022-006, at 10.
108 ?PCAOB Rel. No. 2008-004, at 17.
Accordingly, the Board proposed to revise Form 3's reporting deadline to 14 days after the triggering event occurs, or more promptly as warranted.
Comments Received
Some commenters supported the proposed acceleration of the special reporting deadline. One commenter agreed that 14 days was an appropriate timeframe and that the reduced reporting period would mean investors can have access to important information on a more timely basis.
Some commenters opposed and/or expressed concerns about the accelerated deadline:
• Commenters stated that they were concerned that the proposal does not adequately justify reducing the deadline, that it is unclear why the deadline needs to be accelerated, and that the PCAOB should identify what immediate actions it would take in response to the expedited reporting deadlines. Other commenters stated that is unclear what the justification is for increased cost and small firms will be disproportionately impacted.
• A commenter stated that to justify additional costs firms will incur to increase monitoring for such events, the Board should demonstrate what specific actions it would take as a result, and the benefit of earlier action.
• One commenter stated that it was concerned that accelerating the special reporting will result in otherwise avoidable errors in reports, pointing to the Board's conclusion in the 2008 reporting adopting release that 14 days was insufficient. That commenter stated that for certain limited and highly material events ( e.g., acquisition/divesture, financial stress, etc.) a more accelerated timetable for reporting may benefit the PCAOB's oversight activities, but stated that it did not believe that accelerated reporting aligning with SEC 8-K reporting requirements is appropriate.
• One commenter stated that it did not support the accelerated deadline, pointing to the Board's previous conclusion in the 2008 reporting adopting release, and stating that there do not appear to be compelling reasons to shorten the timeframe now. This commenter stated that matters subject to reporting may warrant additional legal advice before the firm can conclude it has a reporting obligation, including because of complexity related to the interactions between U.S. and non-U.S. laws. Further, this commenter stated that there would be increased costs associated with increased monitoring that would be required due to the accelerated deadline.
• One commenter stated that, to the extent the Board is relying on the assumption that collection processes can be automated to justify the proposed change, most of the information currently required to be reported on Form 3, as well as the additional information the Board is proposing to require, largely does not lend itself to automated tracking and processing, contending that the issues are infrequent, triggered by third party action, require the exercise of judgment, and potentially involve seeking legal advice. Another commenter similarly stated that 14 days is insufficient, noting that the events occur infrequently and unexpectedly and require analysis and assessment, and legal advice. Other commenters stated that Form 3 reporting is not conducive to automation.
• A commenter noted that the reporting clock currently starts on the date that any partner, shareholder, principal, owner or member of the firm first becomes aware of the facts that trigger special reporting, and that a 14-day requirement would make it more challenging to allow time for internal processes to complete.
• Some commenters stated that the accelerated deadline would disproportionately impact non-U.S. firms, including because there may be issues as to whether a matter should be reported, whether a matter should be confidential, and/or whether a firm should withhold information due to legal conflicts. One commenter stated that it has observed firms struggling to comply with the 30-day deadline and recommended the PCAOB take into account that smaller firms do not have full time departments of lawyers and other professionals whose only job is to monitor compliance with PCAOB reporting forms.
• One firm opposed the acceleration without explanation. A commenter recommended maintaining the 30-day deadline (or phasing in a shortened deadline) for the more complex disclosures, such as those required to be reported in existing Part IV (Certain Proceedings) and Part V (Certain Relationships) of Form 3, as well as for the proposed new disclosures in Part VIII (Material Event Reporting).
• A commenter stated that smaller firms should be exempted from the accelerated reporting deadline, as the firm reporting requirements together would disproportionately impact smaller firms.
Response to Comments
[top] In consideration of comments and the Board's intended regulatory objectives, the Board has not adopted the proposed acceleration of the Form 3 reporting deadline for existing Form 3 items. The Board is mindful of costs, particularly for smaller firms, and the challenges and costs associated with implementing monitoring and reporting systems for the accelerated timeline for all Form 3 reporting items. The Board has, however, adopted the accelerated
As an initial matter, limiting the accelerated reporting timeframe to these two items will mitigate costs. In addition, the Board believes these items are distinguishable from existing Form 3 items. First, these items represent particularly time-sensitive matters, in contrast to existing Form 3 reporting triggers, which is a central impetus for implementing these reporting items. Second, these items are to be reported on a confidential basis, in contrast to existing Form 3 reporting triggers, which should reduce costs associated with reporting and facilitate more timely reporting, i.e., reduce the need for extensive reviews due to public disclosure.
The Board believes eliminating the proposed accelerated timeframe for existing Form 3 items and implementing it for new, more urgent reporting items strikes an appropriate balance between mitigating burdens associated with a shorter reporting timeframe and helping to ensure timely reporting of events that are sufficiently sensitive and urgent to merit more timely, confidential reporting to the Board.
The Board also received comments requesting clarification of the requirement to report within 14 days "or more promptly as warranted." This language no longer applies to existing Form 3 items, as the Board has retained the 30-day reporting period without modification. The Board has retained this language for material event reporting, which is subject to the accelerated timeframe. The Board reiterates that, where the reportable events would be publicly reported, either in media or through SEC reporting or otherwise, before the 14-day period has elapsed, more prompt reporting is warranted. In addition, firms should consider more prompt reporting with respect to particularly urgent events that may compromise the firm's ability to conduct audits on a timeframe shorter than 14 days.
2. Material Event Reporting
In the proposal, in addition to the reporting deadline, the Board considered that certain significant events that have implications for the firm's operations, and therefore its audit practice, are not currently captured by the types of events required to be reported on Form 3. Thus, the Board concluded that certain additional special reporting triggers are warranted. The Board proposed to impose a general special reporting obligation for any event or matter that poses a material risk, or represents a material change, to the firm's organization, operations, liquidity or financial resources, or provision of audit services. As proposed, such events or matters would include, but would not be limited to:
• Any event or matter that has or is reasonably likely to materially impact the firm's total revenue as reported in its last Form 2 filing;? 109
Footnotes:
109 ?This may include, but is not intended to be limited to, a solvency-threatening change in revenue. The Board notes an increase in revenue would also warrant reporting if it would necessitate significant audit staffing increases or other comparable organizational changes.
• A determination that there is substantial doubt about the firm's ability to continue as a going concern;? 110
Footnotes:
110 ?Firms may refer to the applicable audit standard and/or applicable financial reporting framework requirements for guidance in connection with this item.
• Planned or anticipated acquisition of the firm, change in control, or restructuring, including external investment and planned acquisition or disposition of assets or of an interest in an associated entity;
• Entering into or disposing of a material financial arrangement that would affect the firm's liquidity or financial resources (such as a line of credit, revolving credit facility, loan, or other financing), or group of related arrangements;
• Any actual or anticipated non-compliance with loan covenants;
• Material changes in the insurance or loss reserves of the firm and material changes related to captive insurance or reinsurance policies, including events that triggered material claims on such policies;
• Material changes in the amount of unfunded pension liabilities;
• That the firm has entered into, or plans to enter into, a definitive agreement or other arrangement that would cause a material change to the firm's operations or provision of services ( e.g., spinning off a consulting business or severing a portion of the business for private equity involvement);
• That the firm has obtained a license or certification authorizing the firm to engage in the business of auditing or accounting and which has not been identified on any Form 1 or Form 3 previously filed by the firm, or there has been a change in a license or certification number identified on a Form 1 or Form 3 previously filed by the firm;
• A change in principal executive officer; or
• Any other planned or anticipated material amendments or changes to the firm's organization, legal structure, or governance. 111
Footnotes:
111 ?For example, a plan to restructure to separate auditing and non-auditing functions would warrant reporting under the proposed requirement. Such reporting should capture transactions whereby a legal separation of entities would result in assurance business partners maintaining or receiving an ownership interest in a new or existing non-assurance entity.
The Board proposed that material events be reported confidentially.
General Comments
Some commenters supported the proposed material event reporting and agreed that it would enhance understanding of significant events at firms, including events that may pose a risk not just to an individual firm, but to the broader market for audit services, such as a large firm exiting the market. Some commenters noted they appreciated the importance of timely notification to the Board of material events.
[top] Some commenters generally opposed the material event reporting. One commenter stated that the proposed requirement is overly broad and subject to hindsight bias. This commenter stated that the requirement included an ambiguous set of possible scenarios and may create operational challenges in maintaining sufficient quality management controls over reporting. Some commenters questioned how the information would be useful or impact a firm's provision of audit services, with one commenter stating that the only provision that would impact audit services was the going concern item. A commenter stated that the listed examples lack clarity and that firms need flexibility in conducting operations, including planning and investing based on their overall operating objectives, without having to disclose these plans to the PCAOB. That commenter also stated that it did not believe that financial or operational information related to the firm's non-audit practice is relevant to the PCAOB's oversight. It further questioned how a firm would account for the portion of their operations under the PCAOB's jurisdiction, asking if a firm would be required to come up with an allocation analysis. 112 Relatedly, a commenter also expressed that clarity is needed over whether the reporting requirements cover the firm as a whole, or whether reporting is required in
Footnotes:
112 ?This commenter also offered a number of objections to public disclosure of information generally and with respect to particular items, which are inapposite given the confidential nature of the reporting.
A commenter stated that the events that would trigger special reporting are too broadly defined and inconsistent with the PCAOB's mission. Another commenter stated that such information should be required through the inspection process.
Some commenters expressed concerns regarding the reporting of planned or anticipated events and/or recommended removing such provisions:
• A commenter stated that situations where impact is uncertain or unpredictable, such as the inclusion of events or matters that may reasonably impact a firm's total revenue, raise questions about how certain events, such as economic conditions or the COVID-19 pandemic, should be treated. The commenter stated further that there is uncertainty regarding how a firm would determine the timing of planned or anticipated events and further clarification from the Board on how to handle these types of events would be valuable.
• A commenter stated that it did not believe it would be appropriate or practical for a firm to file Form 3 for planned or anticipated events; it disagreed with the proposal's discussion of public relations plans as an indicator of future events, stating that events can change significantly between the commencement of communication plans and the execution of a definitive agreement.
• A commenter stated that reporting should apply to events that have taken place, not to those that are reasonably likely to happen.
• A commenter recommended limiting reporting to events that have been completed, stating that otherwise firms may be obligated to report on normal course matters that do not come to fruition.
• A commenter stated that it was concerning that the proposed requirements related to anticipated events and the related ambiguity would leave the firms subject to second-guessing and therefore would likely result in overreporting, with the attendant increased costs and unnecessary exposure of highly proprietary information.
• A commenter stated that the proposed threshold of "substantially likely" as a trigger for reporting is judgmental, that many of the events listed in the proposal may take some time to develop, and that it may not be clear when the event is substantially likely to occur. This commenter also stated that it was concerned about whether and how the PCAOB staff may challenge those judgments during an inspection.
Some commenters offered specific comments on certain enumerated items in the non-exhaustive list:
Any event or matter that has or is reasonably likely to materially impact the firm's total revenue as reported in its last Form 2 filing.
• Commenters suggested modifying this item to strike "reasonably likely to" and to pertain to total fees billed rather than revenue.
• A commenter stated that the purpose of this requirement is not clear, as the commenter stated that firms are already required to communicate when they resign from an engagement and if a firm decides to exit audits in a particular industry, appropriate communication will be provided through the existing requirement. The commenter also stated that this requirement will disproportionately impact smaller firms because every decision could be material to the firm.
Planned or anticipated acquisition of the firm, change in control, or restructuring, including external investment and planned acquisition or disposition of assets or of an interest in an associated entity.
• Commenters supported adding a materiality threshold.
• A commenter suggested deleting this item.
• A commenter stated the requirement lacked clarity with respect to the term planned and anticipated.
Entering into or disposing of a material financial arrangement that would affect the firm's liquidity or financial resources (such as a line of credit, revolving credit facility, revolver, loan, or other financing), or group of related arrangements.
• A commenter stated this requirement is particularly onerous and administratively burdensome and would be a significant distraction from the operations of a firm, and questioned whether this includes switching financial institutions or entering into lease arrangements and what the purpose of requiring this information is.
• A commenter suggested explicitly excluding routine transactions regarding material financial arrangements that are entered into as a matter of course, such as refinancing based on interest rate changes, or other transactions that do not have a material impact on the firm's liquidity or financial resources.
• A commenter suggested that in most cases, a routine financing arrangement will have no impact on a firm's audit practice so it is unclear how the materiality principle would be applied to these transactions. This commenter stated that a qualitative materiality will be much more relevant to a firm's reporting of this type of arrangement.
Any actual or anticipated non-compliance with loan covenants.
• Some commenters supported adding a materiality threshold.
• A commenter suggested modifying this item to strike "or anticipated."
Material changes in the insurance or loss reserves of the firm and material changes related to captive insurance or reinsurance policies including events that triggered material claims on such policies.
• A commenter questioned whether this would include events that triggered material claims on such policies and stated that the purpose of this public disclosure is not clear.
• A commenter stated that this requirement is beyond the scope of the PCAOB's oversight authority, and that unless such events fall within the scope of existing Form 3 reporting requirements, it does not believe this item should be included in a final rule.
• A commenter suggested striking this item.
• A commenter stated that the requirement is well beyond the scope of the PCAOB's oversight authority and that, unless such events fall within the scope of existing Form 3 reporting requirements, it does not believe this item should be included in a final rule.
Material changes in the amount of unfunded pension liabilities.
• A commenter questioned, to the extent that these assets are invested in the stock market, whether a firm would have to provide notice in the event of a material change in the stock market.
The firm has entered into, or plans to enter into, a definitive agreement or other arrangement that would cause a material change to the firm's operations or provision of services (e.g., spinning off a consulting business or severing a portion of the business for private equity involvement).
• A commenter stated this element should be required only where a definite agreement has been entered into.
• A commenter suggested striking "or plans to enter into" from this item and broadening it to include changes to the firm's ownership, and governance.
Any other planned or anticipated material amendments or changes to the firm's organization, legal structure, or governance.
• A commenter suggested striking this item.
[top] A commenter stated that the benefit in some instances of disclosing material positive changes, rather than only
A commenter stated that the non-exhaustive list provided by the PCAOB is beneficial in identifying potential subjects for material event reporting but that additional guidance would enhance clarity in interpreting and applying the requirement. By contrast, other commenters expressed concern with the nature of non-exhaustive nature of the list, stating that reporting requirements should not contain subjective language or be open to interpretation, that the PCAOB should consider providing specific parameters of what should be reported rather than providing a non-exhaustive listing.
Some commenters stated that certain example events include the concept of materiality directly in the example but the title of the reporting and the lead-in to the listing of potential events includes the concept of materiality more broadly, and that it is unclear whether the concept of materiality applies to all enumerated items.
Response to General Comments
The Board continues to believe that timely, confidential? 113 reporting of significant events (including solvency-threatening events) that may impact the firm overall, and therefore its provision of audit services, will provide the PCAOB with more complete information regarding the audit firm and its audit practice. Such reporting will enhance the Board's understanding of significant events at the registered firms it oversees, including events that may pose a risk not just to an individual firm, but to the broader market for audit services, such as a large firm exiting the market. The objective of this provision is not to require reporting regarding aspects of a firm's business that are not subject to PCAOB oversight but to require reporting of significant events that the firm experiences that will affect its audit practice in such a manner as to warrant notifying the Board promptly. As discussed in the proposal, these are the types of events that some firms have in the past notified the Board of informally, suggesting the appropriateness of notifying the Board of such events. Creating a formal requirement will increase clarity regarding and uniformity in reporting of such events.
Footnotes:
113 ?The Board has added a note and instruction to Form 3 to clarify the confidential status of information reported under this item.
Constructing the provision in the proposal as a general requirement with a non-exhaustive list of included reporting events was intended to provide parameters for disclosure while maintaining flexibility to accommodate events that may not be included in the narrowly defined enumerated events. The individually enumerated items were meant to capture scenarios the Board could foresee would merit reporting and to define them with sufficient specificity to provide adequate guidance to firms. The use of the materiality threshold, which the Board acknowledges requires greater judgment on the part of the firm than bright line disclosure requirements, was meant to limit the focus of reporting to events that would have a significant enough impact on the audit practice to warrant prompt reporting. (See below for further discussion of the materiality threshold.) The Board continues to think this basic structure-general requirement, non-exhaustive enumerated items, and materiality qualifier-is appropriate. Given that the enumerated list captures the scenarios the Board foresees are appropriate for reporting, the Board believed that reporting outside the list is likely to be relatively infrequent, but the Board does not wish to foreclose the possibility entirely.
In response to several comments, the requirement is not intended to capture routine or recurring events. The Board has added a note to this effect to the form. In this regard, the Board does not believe significant changes to the firm's monitoring systems should be required. The requirement is intended to focus on the types of events that firm leadership should already be aware of.
In response to the comment regarding whether allocation analyses are required, the requirement is only to report the event, not to analyze or quantify the precise effect on the audit firm. There is no requirement or expectation that firms would provide any kind of analysis in connection with this reporting event, only a brief description, which is tailored to alert the Board to the event and provide sufficient information for the Board to understand at a high level the nature of the event and determine if it wishes to request additional information from the firm.
Scaling the Requirement
In consideration of comments and consistent with the Board's regulatory objectives, the Board has limited the firms subject to this requirement to registered public accounting firm that, during the preceding calendar year, issued audit reports with respect to more than 100 issuers ( i.e., annually inspected firms). The Board believes such an accommodation will help limit the burdens associated with the reporting requirements to larger firms best able to bear them. In addition, the Board believes that material events at larger firms subject to annual inspection are more likely to have potential spillover effects to the broader market and therefore this limitation is more in line with the objective of this reporting requirement. 114 Furthermore, the revisions to Form 2 that the Board has adopted, which are applicable to all firms, capture information analogous to certain of the special reporting requirements ( e.g., principal executive officer and other governance information), thus providing a continual reporting touchpoint for smaller firms as well.
Footnotes:
114 ?This is not to suggest that the material events enumerated would not occur at smaller firms, only that the reporting required under Item 8.1 is applicable only to annually inspected firms.
Modifications to the Enumerated List
While the Board believes the general approach it proposed is appropriate, the Board has modified the reporting item in several ways to promote clarity, ease implementation, and better focus the provision on the firm's audit practice.
First, the Board has modified the general requirement to include the qualification that events must affect the provision of audit services. The final item will thus apply to any event or matter that poses a material risk, or represents a material change, to the firm's organization, operations, liquidity, or financial resources, in such a manner that it will affect the provision of audit services. This will clarify that the objective of the reporting is to capture material events at the firm level that will ultimately affect the audit practice.
[top] As an additional change, after considering comments, the Board has removed proposed language related to planned or anticipated events and restricting the reporting to events that have occurred as the Board is mindful that it may call for speculative judgments. The Board believes this will reduce complexity, ambiguity, and the risk of overreporting. However, the Board notes that certain events are defined as agreements to undertake certain action, i.e., entering into a definitive agreement to restructure, not
Below the Board illustrates changes to each element of the list and introductory language:
[Federal Register graphic "EN05DE24.000" is not available. Please view the graphic in the PDF version of this document.]
This change reflects the clarified focus on the audit practice discussed above.
[Federal Register graphic "EN05DE24.001" is not available. Please view the graphic in the PDF version of this document.]
This reflects a conforming change in light of modifications to the fee reporting item. The Board continues to believe both material increases and decreases in revenue are appropriate for reporting. Material decreases may reflect significant solvency issues, while material increases may necessitate staffing or other significant changes to accommodate new areas of business. The Board has retained the phrase "is reasonably likely to" in this item. The Board believes this is distinguishable from instances where the Board has stricken language related to planned or anticipated events. Here, the event itself has occurred and it is the effect on the firm's fees that is anticipated. The Board believes such language is necessary as fees are reported for an annual period; waiting until the actual change in reported fees would result in reporting of the event that is too delayed ( i.e., would result only in annual reporting of such an event).
• A determination that there is substantial doubt about the firm's ability to continue as a going concern.
This item is unchanged from the proposal. The Board continues to believe that substantial doubt regarding a firm's ability to continue-and therefore to conduct audits-is an appropriate subject for special reporting.
[Federal Register graphic "EN05DE24.002" is not available. Please view the graphic in the PDF version of this document.]
The Board has eliminated this item as it has been consolidated into another item below (definitive agreements that would cause a material change to the firm).
[Federal Register graphic "EN05DE24.003" is not available. Please view the graphic in the PDF version of this document.]
[top] In consideration of comments, this change is to clarify that the effect of the financial arrangement should be material and exclude routine events. The Board continues to believe that material changes in a firm's access to
[Federal Register graphic "EN05DE24.004" is not available. Please view the graphic in the PDF version of this document.]
This change is to eliminate anticipated events, as discussed above. Non-compliance with loan covenants could lead to a loss of credit or access to other funding sources that may impact the firm's ability to conduct audits. Because of this, the Board believes that any non-compliance with loan covenants would be material and is not adding a materiality qualifier to this item.
• Material changes in the insurance or loss reserves of the firm and material changes related to captive insurance or reinsurance policies including events that triggered material claims on such policies.
This item remains unchanged from the proposal. The Board thinks it is clear that it applies only to material changes and material claims as formulated.
[Federal Register graphic "EN05DE24.005" is not available. Please view the graphic in the PDF version of this document.]
This change reflects the Board's agreement with commenters that limiting this item to adverse changes will elicit more useful reporting.
[Federal Register graphic "EN05DE24.006" is not available. Please view the graphic in the PDF version of this document.]
The changes to this item broaden its scope, such that the Board can delete other enumerated items, and streamline the list as a whole. The changes also reflect the removal of anticipated events described above.
• That the firm has obtained a license or certification authorizing the firm to engage in the business of auditing or accounting and which has not been identified on any Form 1 or Form 3 previously filed by the firm, or there has been a change in a license or certification number identified on a Form 1 or Form 3 previously filed by the firm.
• A change in principal executive officer.
These two items remain unchanged from the proposal. The Board continues to think they are appropriate subjects for special reporting.
[Federal Register graphic "EN05DE24.007" is not available. Please view the graphic in the PDF version of this document.]
This item has been deleted as the definite agreement item is sufficiently broad to make this item redundant.
The Board believes these changes are responsive to commenters and will focus the reporting on events that will affect the audit practice. In addition, insofar as the changes clarify and streamline the requirement, the Board believes they should ease the burdens of this requirement for all firms, including smaller firms.
Comments on Materiality Interpretation
The Board also received comments on the application and interpretation of the term "material." A commenter recommended amending the proposed requirements to insert a footnote to the first reference of "material" to explain the meaning of the term, including the term's relationship to the "SEC guidance" on materiality. Other commenters expressed concerns regarding operationalizing the materiality threshold. A commenter stated that the law on what constitutes material information for accounting firms is not well-developed. A commenter stated that the proposal's discussion of materiality does not align with any current definition of the term in the securities laws, case law, or common commercial agreements. A commenter stated that the Board should be clearer on materiality guidance and it should be included in the rule. This commenter recommended being clearer that qualitative materiality considerations may often be more relevant to this determination than quantitative ones, stating that firm revenue may change in ways that might be quantitatively material in an audit context, but such changes usually do not pose material risk, and, therefore, should not require Form 3 reporting.
[top] A commenter stated that the SEC's guidance on materiality judgments in Staff Accounting Bulletin No. 99 (SAB 99) referenced in the release is not a workable threshold for reporting, and that the PCAOB should better define the threshold for reporting and provide
Response to Materiality Comments
As discussed above, the Board acknowledges that applying a materiality threshold will require greater judgment than a bright line reporting trigger. 115 The use of the materiality threshold is meant to limit reporting to those events that warrant special reporting, while retaining some flexibility to account for unforeseen or difficult to define events. The Board believes some threshold is required. The Board considered using "significant"-as evidenced by the discussion in the release, the Board is generally seeking reporting of events that, consistent with the common understanding of the term, are significant. However, the term "significant," like any threshold, would also require some definition or guidance. The Board has used the term "significant" in connection with cybersecurity incident reporting, discussed below. The Board defined the term narrowly and specifically there because it wants a more concrete threshold. By contrast, this requirement is intended to be more elastic. Materiality is meant to act as a limitation on reporting, but one that permits greater judgment on the part of the firm.
Footnotes:
115 ?A commenter stated generally that the proposed requirements included a mix of rules-based and principals-based requirements, and for requirements that include a materiality determination or those that use language requiring the exercise of judgment as to what should be reported, the commenter urged the Board to embrace the spirit of principles-based requirements and not use disagreements about firms' good faith judgments as a basis for increasing enforcement cases. As discussed in this section, the materiality threshold is intended to act as a limitation on the information required to be reported to reduce burden of reporting while still eliciting significant information. Generally, requirements that permit judgment, including those that include a materiality threshold, are intended to provide flexibility to tailor disclosure appropriately based on a firm's understanding of its business. The Board would exercise appropriate discretion in an inspection or enforcement context.
The Board continues to think materiality is the appropriate threshold and one that auditors are familiar with. Based on comments, the Board no longer believes that the discussion of materiality in the proposal referencing investor reliance on the audit report-namely, the statement that material events should be understood as those that may affect the audit practice or companies under audit so as to influence the degree of trust or reliance that a reasonable investor would place in the audit report and therefore the financial statements-was clarifying. As an initial matter, based on comments, the Board does not think that formulation is consistent with the manner in which audit firms would apply materiality vis-à-vis the audit firm. In addition, upon reflection, premising the requirement on the investor perspective sets too high a bar, given the more indirect relationships of investors to the audit firm.
The Board continues to believe that the general principles of materiality set forth in SEC guidance and related materials is appropriate to consider and apply in this context, and familiar to auditors. Namely, a materiality determination would involve consideration of both quantitative and qualitative considerations, with "qualitative" materiality referring to surrounding circumstances that would inform evaluation of an event. However, the perspective, or lens through which to apply those principles is not the investor's but that of a reasonably prudent audit partner. This is not to say that reporting is restricted to events that the firm has already announced to its partnership. Rather, the analysis asks whether a reasonably prudent audit partner would want to be informed of this information. The Board believes the examples in the enumerated list are sufficient examples of the types of events subject to reporting under this standard. The Board agrees with commenters that the materiality assessment will generally be qualitative rather than quantitative, even with respect to financial events.
To codify this approach, the Board has added the following note to Item 8.1: The term "material" should be understood to limit the reported information to those matters about which reasonably a prudent audit firm partner would want to be informed, applying the general principles of qualitative materiality familiar from the securities law context. This understanding of materiality is applicable only to reporting under Item 8.1. This item is not intended to capture routine or recurring events.
Comments on the Reporting Clock
The Board solicited comments on when the reporting clock should start, including whether, for material event reporting, it should begin on the date the firm determines an event to be material. A commenter stated that changing the start date of the reporting clock to be the date on which the firm determines the event to be material could facilitate compliance and make the timeline more operable. A commenter stated that it believes there needs to be clarity around the trigger for accelerated reporting, and suggested retaining the existing trigger of when any partner, shareholder, principal, owner, or member of the firm first becomes aware that the event is pending and adding a second materiality consideration. Another commenter seemed to agree with starting the reporting clock on the materiality determination. One commenter stated that is untenable for the standard to be the date "any partner . . . first becomes aware of the facts" and the special reporting timeframe should be aligned with the knowledge of relevant facts by firm leadership.
As an initial matter, the Board has not altered the trigger for the start of the reporting clock for any existing Form 3 items. The Board is not aware that there is any implementation difficulty in practice for existing Form 3 items related to the existing trigger.
For material event reporting, however, the Board continues to think it is appropriate to begin the reporting period upon the determination that an event is material, especially in light of the shorter reporting timeframe for material events. This approach will accommodate an informed and potentially deliberative process involved in making a materiality determination and the possibility that the materiality determination may not in some instances occur on the same day the event occurs. However, the Board notes that it is the Board's expectation that materiality determinations not be unreasonably delayed.
Comments on Authority
[top] Some commenters questioned the Board's authority to require reporting beyond the PCAOB's oversight of issuer audits. One commenter stated that the Board should focus its disclosure requirements to events that have an impact on the firm's ability to perform quality audits of issuers and as such should not extend to areas beyond the Board's jurisdictional authority. Another commenter stated that certain
The Board is not purporting to assert operational control over audit firms. The intention of the proposed reporting requirements is not to elicit information regarding non-audit operations, but to elicit information regarding events that will affect the firm's audit practice. The Board believes the modifications discussed above emphasize this and tailor the requirements to achieve this objective.
Cybersecurity
1. Cybersecurity Incident Reporting
The Board knows that firms experience cybersecurity incidents. The Board further knows that such incidents have the potential to cause substantial harm to audit firms, companies under audit, and investors through, for example, the disruption of the provision of audit services or the exposure of confidential information to the public. The PCAOB has no formal mechanism to receive prompt information about such incidents and any responses. Accordingly, the Board proposed to implement special reporting requirements for prompt reporting of significant cybersecurity incidents. Specifically, the Board proposed to revise Form 3 to require the reporting of significant cybersecurity incidents within five business days on a confidential basis. The Board proposed to define "significant cybersecurity incidents" as those that have significantly disrupted or degraded the firm's critical operations, or are reasonably likely to lead to such a disruption or degradation; or those that have led, or are reasonably likely to lead, to unauthorized access to the electronic information, communication, and computer systems (or similar systems) ("information systems") and networks of interconnected information systems of the firm in a way that has resulted in, or is reasonably likely to result in, substantial harm to the audit firm or a third party, such as companies under audit or investors. The reporting period, as proposed, would have been measured from the time the firm determined the event to be significant.
General Comments
Some commenters generally supported the cybersecurity disclosure initiative, emphasizing the impact of technology on audits and the Board's duties. One firm mentioned that reporting cybersecurity incidents and breaches is important to investors and cited the benefits of transparency in this area as auditors defend themselves against cyberattacks. Another commenter agreed that such cybersecurity disclosure would inform the PCAOB and other regulators of critical information regarding the potential for disruptions of audit firm operations that could not only impact the provision of audit services, but could also indicate potential compromises of individual or issuer information.
Comments on the Clarity and Scope of the Term "Significant Cybersecurity Incident"
On the other hand, several commenters expressed concern over the clarity and scope of the defined term "significant cybersecurity incident." One firm commented that the Board should provide examples of what would fall under this term and another suggested that the proposed definition needs to be more specific. Commenters also suggested adopting the term "material" instead of "significant" as it is a term already broadly understood. A commenter also encouraged the Board to clarify how an incident is defined for reporting purposes and to clarify whether breaches as defined in the proposal include only direct breaches to the audit firm network or if breaches include any consequences of breaches to clients or service providers to the audit firm. One commenter also recommended incorporating a clear definition of what constitutes a related group of cybersecurity incidents. Commenters mentioned specific terms within the definition that they believe require more explanation, including "disrupted," "degraded," "critical operations," "significant," and "substantial harm."
Further, several commenters asserted that the scope of this requirement should be limited to events that have affected a firm's issuer or broker-dealer audit practices. A commenter opposed language requiring the assessment of "substantial harm" to third parties and argued that this concept should be considered by the company and not the firm. Similarly, another commenter stated that any harm to an investor is likely derivative of the harm to the company itself and if the Board expects any non-derivative harm, the Board should identify such potential harms. Another commenter suggested that the Board use the term "substantial impact" instead. One commenter suggested keeping "substantial harm" but amending the rule text to target disruption or degradation to a firm's "critical audit-related operations."
Some commenters asserted that any requirement in this area would exceed the PCAOB's statutory authority. One commenter questioned the PCAOB's authority or need to receive such information from registered firms, given the PCAOB's jurisdiction. Additionally, several commenters expressed disapproval over the "reasonably likely" reporting threshold and advocated for a threshold that requires reporting only upon confirmation of the significant cybersecurity incident. One commenter stated that the proposed reporting threshold requires significant speculation and could be second guessed in hindsight. Another similarly stated that the proposal leaves room for interpretation as to which incidents are "reasonably likely to lead to disruption/degradation/unauthorized access/substantial harm."
[top] After taking into consideration these comments, the Board has altered the proposed definition of "significant cybersecurity incidents." Now, the Board defines this term as those cybersecurity incidents that have significantly disrupted or degraded the firm's operations critical to the functioning of the audit practice; or those that have led to unauthorized access to the electronic information, communication, and computer systems (or similar systems) ("information systems") and networks of interconnected information systems of the firm in a way that has resulted in substantial harm to the audit firm's critical audit-related operations. This new definition removes the "reasonably likely" threshold and only includes events that have impacted a firm's audit practice. The Board also elected to maintain the modifier "significant" instead of "material," as recommended by some commenters, since the Board believes its defined term "significant cybersecurity incidents" would invite less confusion than one that integrates a well-established concept like materiality. Further, the Board is still requiring a determination of substantial harm. The Board believes that other suggested alternatives, like "substantial
The new definition of "significant cybersecurity incidents" retains some terms that were cited by commenters as requiring further explanation. The Board considers the term "critical operations" to generally include activities and processes that if disrupted could prevent the firm from continuing to effectively provide audit-related services. Further, some commenters sought clarity around the phrase "significantly disrupt" or "significantly degrade." As an example, if a cyberattack cuts off access to a critical audit-related service, it would be deemed to have significantly disrupted or degraded the entity's operations critical to the functioning of the audit practice. In a similar vein, an example of "substantial harm" would include the loss of a firm's data caused by malware.
Comments on the Reporting Timeframe
Some commenters disagreed with the required reporting timeframe and believe five business days is too short given the practical obstacles of this reporting. One commenter stated that requiring reporting to the PCAOB within five business days adds to the regulatory burden and that the benefits of such a timeline need to be further demonstrated. Another cited the need for a longer reporting timeframe for smaller firms with fewer resources. A commenter also expressed concern over the ability to assess the ramifications of a breach and provide meaningful disclosures in this timeframe. One commenter stated that where incidents need to be reported, a yearly or quarterly report or, at minimum, 90 days after a confirmed significant cybersecurity incident has actually occurred, would be more suitable timeframes. Another suggested that the PCAOB consider taking a tiered approach to the requirement to report within five days, reflecting the difference between registered firms issuing audit reports and those which do not. However, to the contrary, a commenter also noted that the proposed reporting period within five business days may be sufficient and timely and aligns with the SEC Cyber Release. Commenters also suggested that the Board incorporate a process for supplementing any report with information as it becomes available, in an effort to mitigate the effects of any speculative or unconfirmed information supplied in the first round of disclosure.
Having considered these comments, the Board has decided to maintain the five business-day disclosure timeframe. Given the Board's expectations of the content of the reporting, this timeline is sufficient for firms to make determinations regarding the incident's significant high-level effects. The Board does not intend for firms to produce a detailed analysis of the incident that would go beyond a summary that satisfactorily addresses the criteria of this requirement. In the proposal, the Board stated that it would require firms to report "the effect of the incident on the firm's operations." Instead, the Board now requires firms to report "the determined effects of the incident on the firm's operations." Such a change should alleviate the need to provide definitive conclusions regarding the incident's effects and allow for estimates to be reported, with the option for future regulatory follow-up. The Board believes that the adjustments to the requirement will mitigate the cost burdens associated with this reporting for both small and large firms. Firms also have the option of following up with the PCAOB should they discover more information about the breach after the five-business-day period. 116
Footnotes:
116 ?Further, the SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule, effective from September 5, 2023, imposes a 4-day reporting period on public disclosure of certain cybersecurity incidents. Many of the parameters of the SEC's reporting overlap with the Board's proposed confidential reporting.
Comments on the Clarity on Other Terms
Some commenters also sought further clarity regarding the information to be reported, stating that expectations as to what information should be included in the reporting should be written into the text of the rule and not limited to commentary in the adopting release. Another commenter requested that the instructions to Form 3 should include information that the PCAOB would expect to be reported regarding cybersecurity incidents. One firm recommended that the Board clarify the term "sufficient information" in its reporting requirement and provide illustrative disclosures to assist firms in determining what disclosures are expected. One commenter stated that the proposal does not provide clarity as to whether the required notice must include reference to or details about the company's response capabilities, including its cyber defenses and response techniques and if construed broadly, the proposal could require reports that might effectively "roadmap" a firm's vulnerabilities and response strategy to attackers. Commenters also recommended that the Board make clear that reporting firms can provide estimates as part of its disclosure. One commenter requested clarity regarding the actions the Board may take in connection with any reported cybersecurity incidents, including the proposed regulatory follow-up.
[top] Given the above comments, the Board would expect such confidential reports to include sufficient information for the PCAOB to understand the nature of the incident and whether regulatory follow-up is warranted, including a brief description of the nature and scope of the incident; when it was discovered and whether it is ongoing; whether any data was stolen, altered, accessed, or used for any unauthorized purpose; the determined effects of the incident on the firm's operations; whether the firm has remediated or is currently remediating the incident; and whether the firm has reported the incident to other authorities. The term "sufficient information" is clarified above by detailing the level of information the Board expects in the disclosure. In response to whether or not the Board requires information regarding response capabilities and the vulnerabilities that may arise from this, the Board has only required information that indicates whether or not the firm is remediating the incident and regardless of the level of detail provided, this information will remain confidential. Further, as stated above, firms may provide estimates, as needed, to satisfy this disclosure requirement and thereafter update the PCAOB as information becomes clearer if appropriate. Such estimates may be later clarified via regulatory-follow-up. Such follow-up will be based on the facts and circumstances of the particular disclosure and will be performed on an informal basis with PCAOB staff. Last, the Board has amended Form 3, but not the rule text, to include a short description of the information the Board expects to be reported. The Board believes that amending the form sufficiently addresses the expressed need for clarity regarding the information to be reported.
Comments on Confidentiality and Conflicts
Commenters also commented on the confidentiality of cybersecurity incident reporting. Some commenters requested that the Board clarify that the checkbox on Form 3 is confidential since making this information public would undermine the confidentiality of the reports and likely confuse readers who would not be provided any information on such breaches. Commenters also opposed any requirement to make public any cybersecurity incident details, citing security concerns and pointing to the fact that firms are already required to make certain disclosures and reporting if there is a data breach. One commenter stated that firms should not be required to disclose information to the PCAOB confidentially or otherwise that exceeds applicable federal and state laws, rules and regulations. The Board recognizes the critical importance of confidential reporting of cybersecurity incidents, both to the reporting firms and to the oversight function of the PCAOB, as explained in the proposal. The Board clarifies that the checkbox on Form 3 will remain confidential as well as the reported information.
Further, commenters addressed potential conflicts with other obligations of audit firms that such a disclosure rule could create. A commenter stated that there is potential for this disclosure rule to divert resources away from the primary objectives of responding and recovering from a cyber incident. Another stated that this reporting regime could lead to significant confusion among security professionals regarding the circumstances in which a reporting requirement is triggered as they have other cybersecurity reporting requirements to follow. A commenter also highlighted guidance published by the Federal Bureau of Investigation which included a request for disclosure delays for national security or public safety reasons. This commenter urged the PCAOB to explain whether and how this process, or one like it, also should apply in the context of registered firms, and whether and how the Board's proposal may conflict with those other requirements and guidance. Also, one commenter compared the proposal with the related SEC Cyber release and noted that the Board's expectation that a firm include whether it has reported an incident to other authorities is not in the SEC Cyber Release and this could have unintended consequences. This commenter recommended that the PCAOB's reporting requirements remain consistent with the final SEC cyber release when "providing a brief description of the event." Lastly, one commenter expressed concern that cybersecurity professionals will become confused by the growing number of different and inconsistent cybersecurity reporting regulations and frameworks.
After considering the comments above, the Board does not believe there are any known direct conflicts with other current obligations of audit firms, but, in an effort to avoid unintended consequences, the Board has eliminated the requirement for a firm to include whether it has reported an incident to other authorities. The Board will continue to monitor the different disclosure regimes that impact audit firms and the interaction of these final amendments with them. With respect to the concern that the disclosure rule may divert resources away from the objectives of responding and resolving an incident, the Board believes that the disclosure requirements are not onerous and primarily require general, high-level information regarding the incident. As a general matter, to the extent firms have other cyber reporting obligations, they should already be monitoring for these types of events. Further, any security concerns should be assuaged by the fact that the disclosure is confidential to the PCAOB.
Regarding the timing of the Board's consideration of the final amendments, one commenter recommended that the Board delay any finalization of its own cybersecurity incident reporting requirements at least until proposed rules under the Cyber Incident Reporting for Critical Infrastructure Act ("CIRCIA") are adopted. The Board does not anticipate that the proposed CIRCIA rules will conflict with its reporting requirements and the Board will continue with the established timeline.
For clarity, the cybersecurity incident reporting requirement in the final amendments is as follows. The Board has revised Form 3 to require the reporting of significant cybersecurity incidents within five business days on a confidential basis. The Board defines "significant cybersecurity incidents" as those that have significantly disrupted or degraded the firm's operations critical to the functioning of the audit practice; or those that have led to unauthorized access to the electronic information, communication, and computer systems (or similar systems) ("information systems") and networks of interconnected information systems of the firm in a way that has resulted in substantial harm to the audit firm. The reporting period would be measured from the time the firm determined the event to be significant.
The Board expects such confidential reports to include sufficient information for the PCAOB to understand the nature of the incident and whether regulatory follow-up is warranted, including a brief description of the nature and scope of the incident; when it was discovered and whether it is ongoing; whether any data was stolen, altered, accessed, or used for any unauthorized purpose; the determined effects of the incident on the firm's operations; and whether the firm has remediated or is currently remediating the incident.
2. Cybersecurity Policies and Procedures
[top] In the Board's proposal, the Board mentioned that in addition to cybersecurity incident reporting, it believed that investors, audit committees, other stakeholders, and the PCAOB would benefit from information regarding a firm's policies and procedures related to cybersecurity risks. Such information would allow all parties to understand and assess a firm's vulnerability to cybersecurity incidents that may ultimately: (1) expose issuer data to third parties and/or bad actors, and/or (2) impact audit firm operations or audit quality. Accordingly, the Board proposed to revise the Annual Report Form to request a brief description of the audit firm's policies and procedures, if any, to identify, assess, and manage material risks from cybersecurity threats. The proposed item would instruct the audit firm to include: (i) whether and how any such policies and procedures have been integrated into the registrant's overall risk management system or processes; (ii) whether the firm engages assessors, consultants, auditors, or other third parties in relation to cybersecurity risks; and (iii) whether the firm has policies and procedures to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider. The proposed requirement was not intended to elicit detailed, sensitive information but rather to inform the PCAOB, investors, audit committees, and other stakeholders of the firm's general policies and procedures, if any, to identify and manage cybersecurity risks. Several commenters supported the proposed revision to Form 2 requiring a "Statement on Policies and Procedures to Identify and Manage Cybersecurity Risks." One commenter agreed with the proposal's discussion of the importance of such disclosure and believed that the Board's proposed brief disclosure requirements were reasonable. One
Some commenters believed that this reporting rule reaches outside the bounds of the PCAOB's jurisdiction. One commenter suggested that the PCAOB drew an inaccurate comparison in the proposal between a registrant's disclosures to shareholders and other investors with a firm's disclosures to the PCAOB. Another stated that the proposed requirement is unclear and that disclosure of how firms manage cybersecurity risks may provide data points to cyber-criminals to assist them in breaching a firm's defenses. A commenter, in contrast, recommended that the Board broaden the proposed disclosure cybersecurity requirement to include technology-related risks like those related to artificial intelligence. Some commenters were concerned with the usefulness of this information to stakeholders. One in particular suggested that the Board clarify how high-level or specific the firm policies and procedures would be meaningful to investors, as well as to reassess which reported information would be available to the public. Another stated that further guidance is needed regarding this requirement especially with respect to smaller firms. That same commenter also does not support the requirement to report "whether the firm engages assessors, consultants, auditors, or other third parties in relation to cybersecurity risks" as they believe it is overly broad, its value is unknown, and it could provide a signal to hackers regarding the firm's cybersecurity defenses. One commenter recommended expanded outreach to determine whether the proposed disclosures provide decision-useful information and how such information would be used.
After consideration of the comments above, the Board believes that the parameters of the disclosure of cybersecurity policies and procedures should remain as proposed. As an initial matter, the rule is clear that firms should provide only a brief description and therefore the rule does not require specific enough information to create a security risk. Because the information requested is general in nature, firms can exercise a degree of judgment when it comes to the level of detail disclosed as part of their policies and procedures. Disclosure items like "whether the firm engages assessors, consultants, auditors, or other third parties in relation to cybersecurity risks" do not imply a disclosure of the identities of any parties that could potentially create a security risk. Further, while expanding the requirement to include a discussion of technology-related risks like artificial intelligence would have potential benefits for investors and audit committees, the Board believes that it is outside the bounds of its initial proposal and may require more detailed disclosure than the requirement contemplates, which may in turn create security risks. With respect to commenter concerns on the usefulness to stakeholders, the Board believes that the disclosures would provide investors and audit committees with additional information to understand efforts taken to protect an issuer's confidential data. Disclosing such information may also encourage firms to establish or improve their own cybersecurity policies and procedures as stakeholders assess a firm's vulnerabilities to cyberattacks that could impact its ability to deliver quality audit services.
Further, in response to commenters questioning the PCAOB's jurisdiction and as explained in the above section addressing authority, such disclosure is designed to elicit information about an operational aspect of the firm that has significant implications for the audit practice and, ultimately, to improve audit quality. Thus, it aligns with the overarching objectives of Sarbanes-Oxley and the PCAOB's authority under Section 102 of that Act. See a further discussion of the Board's authority to adopt the final amendments in a section above.
Updated Description of QC Policies and Procedures
In addition to the above revised periodic and special reporting framework, the Board proposed a reporting-related requirement that evolved out of QC 1000.
Any public accounting firm applying to the Board for registration pursuant to Rule 2100, Registration Requirements for Public Accounting Firms, must file an application for registration on Form 1. Form 1 requires that an applicant furnish, as an exhibit, a narrative, summary description, in a clear, concise and understandable format, of the quality control policies of the applicant for its accounting and auditing practices ("Statement of Applicant's Quality Control Policies and Procedures").
In May 2024, the Board adopted, and in September 2024, the Commission approved, a new QC standard, QC 1000, and other amendments to PCAOB standards, rules, and forms. That included an amendment to Form 1 that would require applications for registration after the effective date of QC 1000 to also indicate whether the firm has designed a QC system in accordance with QC 1000. However, the new standard and the related amendments do not include any mechanism for firms that registered with the Board prior to the effective date of QC 1000 (December 15, 2025) to provide an updated statement regarding their quality control policies pursuant to QC 1000.
The Board proposed to create a new form, Update to the Statement of Applicant's Quality Control Policies and Procedures (Form QCPP), to require that any firm that registered with the Board prior to the date that QC 1000 becomes effective must submit an updated statement of the firm's quality control policies and procedures pursuant to QC 1000. The Board believes it is important that firms update the statement regarding their quality control policies and procedures, originally made in connection with their registration application, to reflect the changes to their policies and procedures made in response to the new quality control standard. This is consistent with Sarbanes-Oxley Section 102(d), which permits the Board to require reporting "to update the information contained in [a firm's] application for registration." It would increase transparency to investors and audit committees, who could then evaluate whether and how firms are addressing QC 1000.
Several commenters agreed with the Board's proposed disclosure of updates to a firm's quality control policies and procedures, citing the benefits of investor transparency. On the other hand, some commenters questioned the form's usefulness to stakeholders. One stated that such a requirement could potentially lead to redundancies with the requirements of QC 1000 and cause confusion among stakeholders. Another commented that the PCAOB does not specify how PCAOB staff would evaluate and what they would do with this information, and does not explain the value of reporting by inactive firms that are not performing any public company audits and would not have audit committees or investors that would use that information. Similarly, several commenters opposed the application of Form QCPP to registered firms that are not currently providing audit services to issuers or broker-dealers. One suggested that the Board should consider requiring inactive firms to file Form QCPP only upon taking on an audit of an issuer or broker-dealer and that such an approach would be analogous to the SEC's requirements for newly registered companies, in which companies become IPO-ready but do not file registration statements until they access the capital markets.
[top] The Board does not believe that the institution of Form QCPP would create
Some firms had concerns regarding the clarity of proposed Form QCPP. One stated that if Form QCPP is retained, additional clarity is needed regarding the expectations surrounding the disclosure of the firm's quality control policies and procedures under QC 1000, including whether identification of quality objectives and risks is necessary. This same commenter questioned if the Board's disclosure rule requires a firm to test and make a determination as to whether it has designed a quality control system in compliance with QC 1000 before Form QCPP is filed. Another stated that it is unclear whether the Board has ongoing expectations or intentions related to updating Form QCPP and if additional submissions would be required, suggesting that any future submissions of Form QCPP would be unnecessary. One commenter was concerned that a "simple statement," rather than a more detailed explanation, in the Form QCPP would suffice and thus negate the usefulness of having such a disclosure requirement.
The Board believes that the proposed instructions to Form QCPP provide sufficient detail to guide a firm's compliant disclosure. The Board stated that "The Firm should not provide the Board with its entire internal quality control manual in response to this item, but should prepare a brief document that addresses its quality control policies and procedures as they relate to QC 1000. Specifically, the description should provide an overview of the Firm's policies with respect to roles and responsibilities; the firm's risk assessment process; governance and leadership; ethics and independence; acceptance and continuance of engagements; engagement performance; resources; information and communication; the monitoring and remediation process; evaluating and reporting on the QC system; and documentation." Such instructions indicate that while a "simple statement" would likely not be sufficient, a firm need not provide overly extensive detail either.
In response to a commenter's request for more clarity, the Board also notes the following: (1) Form QCPP is intended to serve as an update to information that firms provided with their registration application; (2) the instructions and guidance that the Board has provided mirror Form 1 and Registration FAQ 32 (issued December 4, 2017);? 117 and (3) the Board has not observed any significant confusion about the appropriate level of detail to be provided when the Board has processed registration applications for the last 20 years. Further, in response to a commenter questioning if the Board intended for firms to disclose quality objectives and quality risks, Form QCPP need not identify quality objectives and quality risks as these items are not classified as "policies and procedures." Firms also need not perform any test or reach any conclusion about their compliance with QC 1000 in submitting Form QCPP.
Footnotes:
117 ? See PCAOB Rel. No. 2003-011F at 12.
One commenter also suggested that the PCAOB not introduce a new form but rather enhance Form 2 to provide the relevant information annually so that the Board could obtain updates annually on that form together with all of the other information required on Form 2. The Board currently does not have the expectation that updating this form would be an ongoing requirement, but rather just a one-time public update to stakeholders. In that vein, the Board has not integrated this disclosure requirement with an existing form ( e.g., Form 2) because the Board does not expect firms to make a recurring public disclosure about their quality control policies and procedures. Moreover, this requirement is not meant to create additional obligations, apart from the one-time reporting obligation itself, with respect to a firm's quality control system ( i.e., there is no additional testing required). This rule also becomes effective after QC 1000 becomes effective, and thus, registered firms should already be compliant with QC 1000 by the time they must comply with this reporting obligation.
Lastly, one commenter was concerned about the lack of confidentiality. This commenter suggested including confidentiality considerations in the instructions to the form or clarifying that there is an option for a confidential treatment request. The Board does not believe that any of the information elicited in Form QCPP's instructions would necessitate confidentiality or the allowance of a confidential treatment request. None of the information would require disclosure of proprietary information and, based on the Board's experience in this area (and the fact that no commenter identified any law), no other law shields the information from disclosure. Because the information requested in Form QCPP consists of a summary or overview of policies and procedures, the Board believes that it should not be reflective of any proprietary information. The high-level nature of this disclosure requirement adheres to confidentiality principles and supports its designated public format. Also, in contrast to an internal audit manual, this disclosure should only consist of an overview of policies and procedures. No commenter identified any confidentiality law (beyond Section 102(e) of Sarbanes-Oxley) that would shield this information from disclosure. Moreover, confidential treatment would be at odds with the fundamental purpose of this requirement, which is to provide updated information to the public regarding a firm's quality control system in light of QC 1000.
Effective Date
For the enhanced periodic reporting requirements discussed above, the Board proposed phased implementation to give smaller firms more time to develop and implement the necessary tools. For the first phase, the Board considered making the requirements effective as of March 31, 2026, or one year after approval of the requirements by the SEC, whichever occurs later. The first phase would apply to the largest firms as defined in proposed Rule 2208 (being adopted as Rule 4013). The second phase, which would begin one year after the first phase, would cover the remaining firms subject to reporting requirements.
[top] For the special reporting and cybersecurity incident reporting requirements, the Board considered making the requirements effective as of 90 days after approval of the requirements by the SEC for all firms
For the financial statement requirements discussed above, the Board proposed to make the interim requirements effective March 31, 2026, or one year after approval of the requirements by the SEC, whichever occurs later. The final requirement for compliance with the applicable financial reporting framework would have been effective March 31, 2028 or three years after approval by the SEC, whichever is later.
For the disclosure required in Form QCPP, the Board considered aligning the effective date for Form QCPP with the effective date for QC 1000.
Some commenters requested additional time beyond the proposed effective date, with some citing the time needed to conform their systems to the new requirements and others citing new concurrent PCAOB or industry standards. A commenter urged us to wait until QC 1000 has been adopted by firms, and a post-implementation review of the standard has been performed before proposing any additional disclosures by firms. Another firm suggested a pilot reporting period in test environment prior to the final effective date to ensure a smooth transition.
The Board has provided additional time before the effective date for each requirement. For the enhanced periodic reporting requirements, and for the enhanced special reporting requirements, the Board has adopted phased implementation to give smaller firms more time to develop and implement the necessary tools. For the first phase, the final amendments, if approved by the SEC, will become effective as of March 31, 2027, or two years after approval of the requirements by the SEC, whichever occurs later. The first phase applies to the largest firms as defined in new rule 4013. For the second phase, the final amendments will become effective one year after the first becomes effective. The second phase will apply to the remaining firms subject to reporting requirements.
For the Form QCPP requirement, the Board has, as proposed, aligned the effective date for Form QCPP with the effective date for QC 1000. Thus, the final amendments will become effective December 15, 2025. However, in a change from the proposal, the Board has provided that Form QCPP be submitted no later than 30 days after December 15, 2025 (by January 14, 2026).
Except for the Form QCPP requirement which aligns with the QC 1000 effective date, the Board notes that the effective dates post-date the QC 1000 effective date. The Board has not, however, delayed the effective date of the final amendments until after a post-implementation review of QC 1000, as some commenters requested, as the Board believes that would represent an excessive delay and these amendments (apart from Form QCPP) intersect with QC 1000 only in minor respects.
As some commenters requested that the Board create a test environment before making these requirements effective, the Board may consider a test environment for new confidential reporting in the future; a test environment need not be addressed via the rulemaking process.
D. Economic Considerations and Application to Audits of Emerging Growth Companies
The Board is mindful of the economic impacts of its rulemakings. This economic analysis describes the economic baseline, need, and expected economic impacts of the final rule, as well as alternative approaches considered. Due to data limitations, much of the economic analysis is qualitative in nature; however, where reasonable and feasible, the economic analysis incorporates quantitative information, including on the number of PCAOB-registered public accounting firms and the number of Form 2 and Form 3 filings. The analysis also incorporates information from academic literature.
The Board sought and received comments on the economic analysis in the proposal. 118 To the extent that commenters expressed views related to the economic analysis, many commenters generally acknowledged the importance of audit firm reporting and transparency to support decision-making by stakeholders. Several commenters questioned the need for the Firm Reporting requirements. Some commenters affirmed benefits described in the proposal, while some commenters questioned the benefits associated with certain reporting requirements, such as certain governance and network disclosures. In addition, several commenters expressed doubt regarding a direct linkage between audit quality and certain reporting requirements, such as certain details of audit fees and governance characteristics. Some commenters expressed concerns about costs associated with some reporting requirements, such as detailed audit fees for foreign firms and additional specified events for special reporting. Several commenters suggested that the economic analysis should more explicitly consider costs that could disproportionately impact smaller firms, foreign firms, and smaller companies. Some commenters described potential unintended consequences, including market exit and diversion of resources, while some commenters suggested alternatives to the reporting requirements, such as scaling the reporting requirements and limiting collection of data to the inspection process. A few commenters offered a quantitative perspective regarding impacts, and several commenters referenced additional academic research for the Board's consideration. The Board has considered all of the comments, including the quantitative perspectives and academic research the commenters referenced, and has developed the following economic analysis that evaluates the expected benefits and costs of the final requirements, discusses potential unintended consequences, and provides comparisons to alternative actions considered.
Footnotes:
118 ? See Firm Reporting, PCAOB Rel. No. 2024-003 (Apr. 9, 2024).
Baseline
This section discusses the economic baseline against which the economic impacts of the final rule can be considered. The Background and Key Considerations section above describes important components of the baseline, including an overview of existing reporting requirements on PCAOB Form 2 and Form 3.
[top] Limited information is currently available on Form 2 and Form 3 for the areas of the final reporting requirements, and the baseline applies to the collective reporting requirements. Form 2 currently contains two items that are related to the reporting requirements in the final rule but do not require the particular information specified under the final rule. First, Item 3.2 of Form 2 currently collects fees billed to issuer audit clients-separately for audit services, other accounting services, tax services, and non-audit services-as a percentage of total fees billed by a firm to all clients for services that were rendered in the reporting period. Item 3.2 does not currently require firms to report actual fee amounts on Form 2- i.e., the numerator and denominator of the percentage calculations. In addition, Item 3.2 does not currently require firms to report fees billed to broker-dealer audit clients during the reporting period. Second, Item 5.2 of Form 2 currently asks firms to state whether the firm has any: (i) membership or affiliation with any
The current reporting requirements on Form 2 and Form 3, together with uses of the information collected, firms' filing practices, and other sources of audit firm information, form the baseline from which the Board assesses the economic impacts of the final reporting requirements. The Board discusses below: (i) PCAOB uses of Form 2 and Form 3, including firms' filing practices; (ii) investor and audit committee potential uses of Form 2 and Form 3; and (iii) other sources of audit firm information.
1. PCAOB Uses of Form 2 and Form 3
Pursuant to the Sarbanes-Oxley Act, Form 2 and Form 3 are used by the Board to exercise its statutory oversight function and provide decision-useful information to the public. Form 2 collects basic information once a year about the firm and the firm's audit practice over a 12-month reporting period. Form 2 is required to be filed annually by all PCAOB-registered firms. Form 3 collects information upon the occurrence of specified events, such as when a firm resigns or is dismissed from an audit engagement in certain circumstances or when a firm has become aware that it has become a defendant in a criminal proceeding. The contents of Form 2 and Form 3 for each firm are generally made publicly available on the PCAOB website, with some exceptions if the firm requests and is granted confidential treatment.
The Board uses information reported on Form 2 and Form 3 to: (i) keep firms' basic records current; (ii) plan and inform the Board's statutory oversight function; and (iii) monitor specified events that could merit follow-up. The number of PCAOB-registered firms as of December 31, 2023, was 1,599, most of which were subject to Form 2 and Form 3 reporting requirements? 119 in the 2023 filing year and will be subject to the reporting requirements in the absence of any withdrawals. Figure 1 and Figure 2 below present the counts of registered firms and the counts of Form 2 and Form 3 filings the registered firms utilized to communicate annual information and specified events, respectively, to the Board based on current reporting requirements. The counts in Figure 1 and Figure 2 provide a reference point for the number of firms that will be expected to comply with the additional reporting requirements of the final rule.
Footnotes:
119 ?Form 2 and Form 3 filings are suspended while a registered firm has a Form 1-WD pending. See PCAOB Rule 2107(c)(2), Withdrawal from Registration. In addition, Form 2 is not required by a registered firm that has an application for registration approved by the Board in the period between and including April 1 and June 30 of the filing year. See PCAOB Rule 2201, Time for Filing of Annual Report.
i. Form 2
Form 2 reporting provides a profile of a firm at a point in time, based on the firm's activity related to audits of issuers and broker-dealers over the most recent 12-month reporting period. For example, information reported on Form 2 Part V (Offices and Affiliations) is used by PCAOB staff for inspection planning. Information reported on Form 2 also keeps current the Board's records about basic matters, such as the firm's name, location, and contact information, which informs other Board oversight activities. For example, primary contact information reported on Form 2 Part I (Identity of the Firm and Contact Persons) is used by PCAOB staff to identify the firm-designated contact person to whom document requests for investigations should be sent.
PCAOB supports either extensible markup language ("XML") or an internet-based form for firms to file Form 2. For the XML option, PCAOB makes available a schema, and firms develop their own computer program consistent with the schema to then generate the filing. Some large firms share the same program within their network to manage the cost of developing a program. The XML filing option for Form 2 generally facilitates filing for firms with large numbers of audits due to the standardized nature of data collected for each audit on Form 2. One commenter suggested that firms' current reporting practices were not clear in the proposal. However, the proposal explained that approximately twelve of the largest firms currently file Form 2 via XML, which covers the vast majority of issuer engagements based on market capitalization. All other firms file Form 2 via the PCAOB Web-based form.
Figure 1 provides for the 2023 filing year counts of PCAOB-registered firms that filed a Form 2 and counts of firms that signed an issuer or a broker-dealer audit opinion. For the 2023 filing year, the number of registered firms that filed Form 2 was 1,419 and the number of firms that did not file was 180. The number of registered firms that filed a Form 2 and signed an opinion in the 2023 filing year was 570. Firms are subject to Form 2 reporting requirements whether or not they sign an audit opinion.
Footnotes:
120 ?Counts include: (i) registered firms with status "Currently Registered" (1,568), "Suspended" (1), "Suspended; Withdrawal Pending" (0), and "Withdrawal Pending" (30) and (ii) firms exempted from Form 2 filing under PCAOB Rule 2201 because they had an application for registration approved by the Board in the period between and including April 1 and June 30 of the 2023 filing year. Opinion categories are based on data from Audit Analytics (including Feed 6, Feed 34, and Feed 27) for firms that filed Form 2. The "substantial role only" line items are based on data from Form 2 and indicate the number of firms that played a substantial role only for the opinion categories in which the primary auditor signed an opinion or no opinion was signed. For more discussion of firms' registration status and firms that do not file Form 2, see Proposals Regarding False or Misleading Statements Concerning PCAOB Registration and Oversight and Constructive Requests to Withdraw from Registration, PCAOB Rel. No. 2024-001 (Feb. 27, 2024).
[top]
| As of 12/31/2023 | |
|---|---|
| Number of registered firms | 1,599 |
| Filed Form 2 | 1,419 |
| Did not file Form 2 | 180 |
| Types of opinions for firms that filed Form 2: | |
| Signed issuer opinions only | 321 |
| Substantial role only | 5 |
| Signed broker-dealer opinions only | 128 |
| Substantial role only | 3 |
| Signed issuer and broker-dealer opinions | 121 |
| Substantial role only | 2 |
| Signed no opinions | 849 |
| Substantial role only | 74 |
ii. Form 3
Form 3 reporting alerts the Board to the occurrence of specified events, such as disciplinary proceedings or withdrawal of an audit report in certain circumstances, that may have more immediate bearing on how the Board carries out its statutory oversight function. In addition, information reported on Form 3 is used by PCAOB staff to assess whether the information indicates a potential violation of applicable standards or rules. Special reporting enables the PCAOB to consider whether prompt action is warranted by the Board's inspection process or enforcement process. Under the extant rules, firms currently have 30 days after a reportable event to file Form 3. 121 PCAOB staff analysis indicates that during the period 2018-2022, firms filed Form 3 in less than 15 days after a reportable event for 12.1 percent of specified events reported. 122 PCAOB supports either XML or a Web-based form for firms to file Form 3. One commenter suggested that firms' current reporting practices were not clear in the proposal, but the proposal explained that based on the unique nature of each Form 3 filing, no firms have chosen to file Form 3 via XML.
Footnotes:
121 ? See PCAOB Rel. No. 2008-004.
122 ?The following reportable events were included in the staff analysis: Item 3.1 (Withdrawn Issuer Audit Reports and Consents); Item 3.2 (Issuer Auditor Changes); Item 4.1 (Criminal, Governmental, Administrative, or Disciplinary Proceedings); Item 4.2 (Concluded Criminal, Governmental, Administrative, or Disciplinary Proceedings); Item 5.1 (New Relationship with Person Subject to Bar or Suspension).
Figure 2 provides counts of firms that filed at least one Form 3, counts of Form 3 filed, and counts of the reasons for which Form 3 was filed. For the 2023 filing year, the number of firms that filed Form 3 was 299 and the number of forms filed was 563. The Board does not have information on the number of firms that failed to file Form 3 or the number of Form 3 that firms failed to file. The top three reasons firms filed Form 3 are: (i) the firm became aware of changes related to certain legal proceedings; (ii) there was a change in the firm's legal name or in the business contact information of the firm's primary contact with the Board; and (iii) the firm experienced a change in license or certification to engage in the business of auditing or accounting in a certain jurisdiction.
| As of 12/31/2023 | |
|---|---|
| Number of registered firms | 1,599 |
| Number of firms that filed at least one Form 3 | 299 |
| Number of Form 3 filed | 563 |
| Number of reasons for filing Form 3 | 739 |
| Changes in certain legal proceedings | 332 |
| Changes in the firm's name or contact person | 191 |
| Changes in licenses and certifications | 127 |
| Amendments to previously-filed Form 3 | 55 |
| Withdrawal of an audit report, resignation or dismissal or a firm, or issuance of audit reports with respect to more than 100 issuers | 30 |
| Changes in certain relationships ( i.e., new relationship with person subject to bar or suspension, new ownership interest by firm subject to bar or suspension, or certain arrangements to receive consulting or other professional services) | 4 |
2. Investor and Audit Committee Potential Uses of Form 2 and Form 3
Footnotes:
123 ?Counts include registered firms with status "Currently Registered" (551), "Withdrawal Pending" (6), and "Registration Withdrawn" (6). Counts are determined based on the number of original Form 3 and amended Form 3 filed in a given calendar year. A firm may file more than one Form 3. A single Form 3 filing may include more than one reason, and each reason is included in the counts.
The Board does not monitor specific uses of Form 2 or Form 3 by investors and audit committees. However, Form 2 and Form 3 information is generally publicly available for investors and audit committees to inform their views of firms and the audit market. For example, investors and audit committees can observe information reported on Form 2, such as a firm's client base or number of CPA personnel, to inform their selection of a firm. Likewise, investors and audit committees can observe information reported on Form 3, such as a withdrawal of an audit report, to monitor and understand developments that may impact their confidence in financial reporting quality.
[top] The Board does not track types of visitors to specific forms on the PCAOB website, reasons for those visits, or views of specific forms. However, the Board does track unique visits to all PCAOB forms filed- i.e., Forms 1, 2, 3, 4, and AP-that are publicly available on the PCAOB website. For calendar
Footnotes:
124 ?The RASR database can be found on the PCAOB's website, available at https://rasr.pcaobus.org/Search/Search.aspx. The usage statistics may underestimate actual public interest because investors, researchers, auditors, audit committees, and issuer management may source PCAOB information through external third-party data service providers-such as Ideagen's Audit Analytics. The usage statistics may also overestimate actual public interest to some extent because they include internal PCAOB users.
125 ?Information related to usage statistics can be found on the PCAOB's website, available at https://pcaobus.org/resources/auditorsearch.
One commenter noted that the proposal did not cite academic research that suggests that certain investors do not voluntarily access Form AP data. 126 Since the study focuses on non-professional investors, the Board notes that the results may not necessarily generalize to other types of investors, such as institutional investors. Previous academic research also suggests that investors did not respond to information reported in Form AP soon after the form became effective. 127 However, the absence of a response soon after the form became effective does not mean information has no value to investors or audit committees. For example, more recent academic research suggests that audit partner disclosures in Form AP provide useful information to equity markets. 128
Footnotes:
126 ? See, e.g., Candice T. Hux, How Does Disclosure of Component Auditor Use Affect Nonprofessional Investors' Perceptions and Behavior?, 40 Auditing: A Journal of Practice & Theory 35 (2021) (finding that very few non-professional investors voluntarily access component auditor information disclosed in Form AP).
127 ? See, e.g., Marcus M. Doxey, James G. Lawson, Thomas J. Lopez, and Quinn T. Swanquist, Do Investors Care Who Did the Audit? Evidence from Form AP, 59 Journal of Accounting Research 1741 (2021) (finding little evidence of a significant investor response following the disclosure of partner identity and component auditor participation in the first three years after Form AP was effective).
128 ? See, e.g., Daniel Aobdia, Vincent Castellani, and Paul Richardson, Do Investors Care Who Led the Audit in the U.S.? Evidence from Announcements of Accounting Restatements, available on SSRN: https://ssrn.com/abstract=4702538 (2024) (finding that following the mandated disclosure of audit partner names on Form AP, a U.S. audit partner's non-restating clients experience a significant negative market reaction in the days surrounding the announcement of another client's restatement). The Board notes that SSRN does not peer review its submissions.
One commenter reported results from a survey they conducted of 100 institutional investor respondents? 129 that found 25 percent of respondents navigate to the AuditorSearch Web service very often, 54 percent navigate to it often, 16 percent navigate to it sometimes, 3 percent navigate to it rarely, and 2 percent navigate to it never. 130 The commenter also reported results from a survey they conducted of 242 audit committee member respondents? 131 that found 0.4 percent of respondents navigate to the AuditorSearch Web service very often, 3.7 percent navigate to it often, 15.7 percent navigate to it sometimes, 27.3 percent navigate to it rarely, 36.4 percent navigate to it never, and 16.5 percent are unfamiliar with PCAOB Form AP. 132 Results from both of these surveys indicate that institutional investor respondents and audit committee member respondents navigate to the AuditorSearch Web service, but the results do not indicate the extent to which institutional investor respondents and audit committee member respondents use the AuditorSearch information.
Footnotes:
129 ? See Center for Audit Quality, PCAOB Engagement Metrics Report-Investors (July 2024) ("CAQ Investor Survey"). The survey was conducted online from May 15, 2024, to May 22, 2024.
130 ? See CAQ Investor Survey. The survey question asked, "How often do you navigate to the AuditorSearch on the PCAOB's Form AP, Auditor Reporting of Certain Audit Participants website?"
131 ? See Center for Audit Quality, Audit Firm & Engagement Disclosures; Stakeholder Information Needs (July 2024) ("CAQ Audit Committee Survey"). The survey was conducted online from May 29, 2024, to June 14, 2024.
132 ? See CAQ Audit Committee Survey. The survey question asked, "How often do you navigate to the AuditorSearch on the PCAOB's Form AP, Auditor reporting of Certain Audit Participants website?"
In addition to the information that the firm makes publicly available through required form filings, the PCAOB provides public disclosures of firm inspection reports. 133 During the 2023 calendar year, firm inspection reports were downloaded approximately 113,000 times. Academic research suggests that audit committees use the information contained in PCAOB inspection reports. 134 Additionally, some academic research suggests that PCAOB inspection reports provide useful information to investors. 135 However, some research indicates that institutional investors may not be aware of or find value in PCAOB inspection reports, suggesting that current research captures the lower bound of the effect of PCAOB inspection information to investors. 136 One commenter questioned whether investors access or analyze Form 2 data to seek insights about audit firms in light of the research that suggests institutional investors may not be aware of or find value in PCAOB inspection reports. However, the Board does not draw inferences regarding the usefulness of Form 2 data from the research results regarding PCAOB inspection reports.
Footnotes:
133 ?Firm inspection reports can be found on the PCAOB's website, available at https://pcaobus.org/oversight/inspections/firm-inspection-reports.
134 ? See, e.g., Daniel Aobdia, The Impact of the PCAOB Individual Engagement Inspection Process-Preliminary Evidence, 93 The Accounting Review 53 (2018) (finding that companies are more likely to switch auditor when firm offices or partners receive a Part I audit deficiency).
135 ? See, e.g., Nemit Shroff, Real Effects of PCAOB International Inspections, 95 The Accounting Review 399 (2020) (finding, using a sample of foreign companies, that companies enjoy greater access to capital when their auditor's PCAOB inspection report does not include Part I deficiencies)); Andrew Acito, Amir Amel-Zadeh, James Anderson, William L. Anderson, Daniel Aobdia, Francois Brochet, Huaizhi Chen, Jonathan T. Fluharty-Jaidee, Martin Schmalz, Manyun Tang, and Scott Jinzhiyang Wang, Market-Based Incentives for Optimal Audit Quality, available on SSRN: https://ssrn.com/abstract=4997362 (2024) (finding that when PCAOB inspection reports can be easily linked to the issuer being audited, issuers whose audit was not found to be deficient significantly outperform issuers whose audit was found to be deficient). The Board notes that SSRN does not peer review its submissions.
136 ? See, e.g., CAQ, Perspectives on Corporate Reporting, the Audit, and Regulatory Environment (Nov. 2023) (finding that most institutional investors interviewed were unaware of PCAOB inspection reports, and to the extent investors were aware, found the report results to be expected); Clive Lennox and Jeffrey Pittman, Auditing the Auditors: Evidence on the Recent Reforms to the External Monitoring of Audit Firms, 49 Journal of Accounting and Economics 84 (2010) (finding that companies do not perceive that the PCAOB's disclosed inspection reports are valuable for signaling audit quality).
[top] One commenter suggested that investors' and audit committees' uses of information regarding firms were not clearly understood from the analysis in the proposal. However, the proposal did discuss the potential uses of Form 2 and Form 3 information as noted above, and commenters did not explicitly disaffirm the potential uses. In addition, one commenter reported results from a survey they conducted of 100 institutional investor respondents that found 30 percent of respondents navigate to the PCAOB's Registered Firms website? 137 very often, 52 percent navigate to it often, 13 percent navigate to it sometimes, 2 percent navigate to it rarely, and 3 percent navigate to it never. 138 Of the 95 institutional investor
Footnotes:
137 ?The PCAOB Registered Firms website contains a firm summary page where the public can view a firm's registration, Form 2 annual reports, Form 3 special reports, inspection reports, and disciplinary actions, available at https://pcaobus.org/oversight/registration/registered-firms.
138 ? See CAQ Investor Survey. The survey question asked, "How often do you navigate to the PCAOB's Registered Firm website?"
139 ? See CAQ Investor Survey. The survey question asked, "What information do you find useful on the PCAOB's Registered Firms website? Select all that apply."
140 ? See CAQ Audit Committee Survey. The survey question asked, "How often do you navigate to the PCAOB's Registered Firms website?
141 ? See CAQ Audit Committee Survey. The survey question asked, "What information do you find most useful on the PCAOB's Registered Firm site?"
3. Other Sources of Audit Firm Information
In addition to Form 2 and Form 3, investors, audit committees, and the Board have access to audit firm information through other public sources. As discussed in Background and Key Considerations, some firms disclose information-such as financial, governance, and network information-as part of voluntary or mandatory transparency reports. 142 These reports are generally published by firms annually for access by the public. 143 In addition, the SEC requires issuers to disclose audit fees, audit-related fees, tax fees, and other fees paid to audit firms in the two preceding fiscal years. The disclosed amounts may include fees paid to multiple audit firms rather than a single audit firm. Information related to certain legal proceedings- e.g., SEC enforcement actions-is also publicly available. 144 However, due to the investigation and litigation process, information may be publicly available only after a substantial lag.
Footnotes:
142 ?Under PCAOB auditing standards and applicable U.S. law, audit firm transparency reports are voluntary and unregulated disclosures. Consequently, firms can disclose information of their own choosing and construction. In practice, firms that do publish transparency reports disclose information that is required in reports pursuant to disclosure rules in other jurisdictions, such as in the European Union ( i.e., EU-No 537/2014 Article 13), or similarly adopted domestic requirements in the UK under the Financial Reporting Council's authority ( i.e., the Companies Act of 2006, and Statutory Auditors and Third Country Auditors Regulations of 2016).
143 ? See, e.g., Deloitte, 2023 Transparency Report (Sep. 2023); EY US, 2023 Transparency Report (Oct. 26, 2023); KPMG International, Transparency Report 2023 (Dec. 2023); PricewaterhouseCoopers LLP, 2023 Transparency Report (Oct. 31, 2023).
144 ? See the SEC's Accounting and Auditing Enforcement Releases site, available at https://www.sec.gov/divisions/enforce/friactions.
Certain information regarding some individual audit firms-such as total revenue, breakdown of revenue by service line, and number of partners and professionals-is accessible through paid subscription services, but these sources do not include all firms. 145 In addition, certain aggregated information regarding groups of firms-such as revenue, profits, and compensation-is accessible through paid subscription services, but these sources do not provide information regarding individual firms. 146
Footnotes:
145 ? See, e.g., Accounting Today, Top 100 Firms (2022).
146 ?See, e.g., AICPA, National Management of an Accounting Practice Survey Results Report (Oct. 2023); Audit Analytics, 20-Year Review of Audit Fee Trends (July 2023).
Audit committees can request and receive firm information through sources not available to the public, including directly from their incumbent auditors and tendering firms. In exercising their oversight responsibilities, for example, audit committees may seek information from the firm about PCAOB inspections, including information not contained in the PCAOB's public inspection reports. 147 In addition, auditing standards and PCAOB and securities law provisions require specific communications from auditors to audit committees regarding a variety of matters related to the audit engagement. For example, audit committees receive information through communications from auditors to audit committees under PCAOB AS 1301, Communications with Audit Committees, and Exchange Act Section 10A reports regarding illegal acts at an issuer in certain situations, but this information pertains to the audit engagement or the issuer rather than the audit firm.
Footnotes:
147 ?See Information for Audit Committees About the PCAOB Inspection Process, PCAOB Rel. No. 2012-003 (Aug. 1, 2012).
Several commenters affirmed that audit committees have bargaining power that gives the audit committee direct and timely access to information the audit committee requests. One commenter asserted that audit committees have access to any relevant peer firm information for comparisons with the incumbent audit firm, including when the audit committee is considering changing audit firms. The commenter also affirmed that audit firm information is available through publicly available sources, such as audit quality reports and transparency reports by larger firms, or by requesting any relevant non-public information from each potential audit firm. Another commenter, representing audit committee chairs, affirmed that audit committee chairs already receive or have access to most of the information that is being mandated. One commenter noted that the provision of information by audit firms to audit committees involves two-way contextual communication that the commenter believed will fulfill the objectives outlined in the proposal.
The Board continues to agree that audit committees can request and receive firm information directly from their incumbent auditors and tendering firms. Likewise, the commenters affirmed that the firm information is not directly available to investors for their own voting and monitoring purposes. Moreover, the Board expects that audit committees will continue to engage in two-way communication with audit firms and that the required disclosures will equip investors with information they can use in communication with their own audit committees.
[top] The Board routinely collects supplemental audit firm information through the inspection process. For example, PCAOB staff periodically requests and receives select financial information, such as revenue and net income, to understand a firm's business and thereby to inform inspection scoping and planning. In addition, PCAOB staff periodically requests and receives data on audit firm boards of directors, including their composition and governance committees, to understand firms' governance structures and inform inspection scoping and planning. The supplemental information is not available to investors
Footnotes:
148 ? See Section 105(b)(5) of Sarbanes-Oxley.
149 ? See Section 102(e) of Sarbanes-Oxley. Although some information may nonetheless be determined to be confidential and, thus, would not be publicly reported.
The proposal explained that PCAOB staff has also requested and received through the inspection process, financial statements for the U.S. global network firms ("GNFs")? 150 to understand the financial condition or financial results at these firms that may affect audit quality or the provision of audit services. For example, financial statements provide useful information regarding where firm resources are dedicated to help evaluate the system of quality control. All U.S. GNFs compile financial statements on a non-GAAP or modified GAAP basis of accounting. Some compile financial statements in accordance with partnership agreements or agreements with lenders. While the financial statements are not fully consistent with GAAP, the U.S. GNFs generally use an accrual basis of accounting. The U.S. GNFs do not compile a full set of financial statements by service line. Two U.S. GNFs compile revenue by service line. In addition, based on the entity registered with the Board, some firms submit consolidated financial statements for the entire professional service practice, and other firms submit financial statements only for the audit practice.
Footnotes:
150 ?GNFs are the member firms of the six global accounting firm networks (BDO International Ltd., Deloitte Touche Tohmatsu Ltd., Ernst & Young Global Ltd., Grant Thornton International Ltd., KPMG International Ltd., and PricewaterhouseCoopers International Ltd.).
Several commenters affirmed that U.S. audit firms generally compile financial statements on a non-GAAP or modified GAAP basis of accounting. One commenter asserted that the proposal did not explain how obtaining firms' financial statements has informed the inspection process. However, as noted in the previous paragraph, the proposal explained that PCAOB staff has requested and received financial statements for U.S. GNFs to understand the financial condition or financial results at these firms that may affect audit quality or the provision of audit services.
PCAOB staff observations indicate that U.S. GNFs have designed policies and procedures to identify, mitigate, and respond to cybersecurity threats. The current PCAOB reporting framework does not specify that firms should provide PCAOB with notification of cybersecurity incidents or disclose information regarding cybersecurity policies and procedures. Cybersecurity is identified in recent surveys as a top risk by company executives, investors, and audit committees. 151 In addition, PCAOB oversight indicates that the cybersecurity landscape faced by firms continues to evolve and that cybersecurity incidents at firms are increasing in both volume and complexity. Estimates of aggregate and per-incident annual costs associated with cybersecurity incidents vary widely, 152 and the costs of responding to a cybersecurity incident decrease when organizations are well-prepared with cybersecurity playbooks and simulated cybersecurity incidents. 153 Accounting firms are targeted by cybercriminals because firms are stewards of confidential information. 154 In addition, smaller and mid-sized firms are targeted because they may lack sophisticated cybersecurity infrastructure and can act as gateways to other targets. 155 While research finds that the statistical probability of a cybersecurity incident at smaller companies is lower than for larger companies, 156 the costs of a cybersecurity incident are statistically disproportionately higher for smaller companies than for larger companies. 157
Footnotes:
151 ?See, e.g., EY, EY CEO Imperative Study 2019 (July 2019); PCAOB, Spotlight: 2021 Conversations with Audit Committee Chairs (Mar. 2022); CAQ, Audit Committee Practices Report (Mar. 2024).
152 ? See, e.g., Cybersecurity and Infrastructure Security Agency, Cost of a Cyber Incident: Systematic Review and Cross-Validation (Oct. 26, 2020) (explaining that aggregate annual estimates for U.S. economic impacts from cyber incidents range from under $1 billion to over $242 billion while median estimates per incident range from about $56,000 to almost $1.9 million); Sasha Romanosky, Examining the Costs and Causes of Cyber Incidents, 2 Journal of Cybersecurity 121 (2016) (finding the cost of a typical cyber incident is about 0.4 percent of a company's annual revenue); Cyentia Institute, Information Risk Insights Study (2020) ("Cyentia Report"), at 20 (finding that a data breach of 100,000 records has a 96 percent probability of costing at least $10,000 and only a 2.7 percent probability of costing more than $100 million).
153 ? See, e.g., PCAOB Investor Advisory Group Meeting (Sep. 26, 2024), available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024.
154 ? See, e.g., Malia Politzer, Top Cyberthreats Targeting Accounting Firms, Journal of Accountancy (Mar. 16, 2020); Olivia Powell, PwC and EY Impacted by MOVEit Cyberattack, Cyber Security Hub (June 21, 2023); PCAOB Investor Advisory Group Meeting (Sep. 26, 2024).
155 ?See, e.g., Politzer, Top Cyberthreats.
156 ? See, e.g., Cyentia Report, at 12 (finding that companies under $1 billion in annual revenue have less than a 2 percent chance of experiencing a breach whereas companies with at least $1 billion in annual revenue have at least a 9.6 percent chance).
157 ? See, e.g., Cyentia Report, at 22 (finding that a $100 billion company that experiences a typical cybersecurity incident should expect a cost of approximately $292,000, whereas a $100,000 company should expect a cost of approximately $24,000).
Need
This section discusses the problem that needs to be addressed and explains how the final rule is expected to address it. In general, three observations suggest that there is an economic need for the reporting requirements:
• Investors and audit committees encounter persistent opacity regarding audit firm information that is consistent and comparable across firms and over time. As a result, there is a risk that investors and audit committees will not accurately assess a firm's capacity, incentives, and constraints that best meet investor needs regarding the audit.
• Information regarding audit firm characteristics that will help assess a firm's capacity, incentives, and constraints has been requested by investors. However, the market for information does not provide standardized information regarding certain firm characteristics because firms, investors, and audit committees lack sufficient incentives necessary to develop a system of voluntary disclosure. As a result, firms do not supply the market with sufficient decision-useful information. 158
Footnotes:
158 ?Given the considerations in the benefits and costs sections below, it appears reasonable to assume that the frictions in the market for information are likely to cause an apparent undersupply of information, rather than the cost of providing the information being greater than the social benefit.
• PCAOB staff experience with the extant PCAOB reporting framework has revealed incomplete or imperfect information regarding certain events at some audit firms. This impairs the Board's ability to perform its statutory oversight function.
The Firm Reporting rule will help address this problem in two primary ways:
• The rule will require audit firms to publicly disclose firm information that is standardized across firms and over time and will aid investor and audit committee decision-making.
• The rule will require audit firms to report additional information and specified events and, in some cases, financial statements, which will enhance the effectiveness of the Board's statutory oversight.
[top] Investor-related groups affirmed the need for the reporting requirements. Several commenters questioned the
The proposal and this release below explain that the required public disclosures and confidential reporting are intended to provide more information to the audit market to support: (i) audit committees in their appointment and monitoring of an audit firm, (ii) investors in their votes on proposals to ratify the appointment of an audit firm and in their efforts to oversee the audit committee, and (iii) the Board's ability to perform its statutory oversight function as it relates to emerging risks. In addition, many commenters seemed to demonstrate an understanding of the problem by suggesting several alternatives that are summarized in a section below. Moreover, the proposal did not state or intend to suggest that the Board plans to influence audit firms' investing and operating decisions or impose minimum capital requirements or de facto government auditing, nor does the Board intend for the final rule to have such influence. While the Board agrees that the final rule increases the volume of reporting requirements, the Board notes that much of the information is already reported through the PCAOB inspection process, as explained in a section above, or made available to audit committee chairs, as noted by one commenter representing audit committee chairs. Finally, while the commenter did not offer a definition of "active" firms or "inactive" firms, the PCAOB's current access to any relevant and appropriate data for registered firms does not address investors' current lack of access to the required disclosures. In addition, the Board does not rule out the possibility that investors or audit committees could have future needs for the required disclosures of all registered firms.
The following sections describe in more detail the problem to be addressed and how the reporting requirements will address it.
1. Problem To Be Addressed
i. Persistent Opacity Regarding Firm Information
a. Investors and Audit Committees
Reliable company financial statements help investors evaluate company performance and monitor managements' stewardship of investor capital. An audit committee is established by the company's board of directors and is statutorily entrusted to appoint, compensate, and oversee the work of the audit firm. 159 In its appointment decision, the audit committee evaluates firms to identify a firm with the capacity, incentives, and constraints that best meet investor needs regarding the audit. Once the audit committee appoints a firm, the audit committee then monitors the firm. 160 However, the audit committee may focus on the interests of investors who are current shareholders rather than the broader public interest ( e.g., market confidence, potential future shareholders, or investors in other companies). Moreover, there is a risk that the audit committee may not monitor the firm effectively because the firm may seek to satisfy the interests of company management rather than investors if management is able to exercise influence over the audit committee's supervision of the firm. 161
Footnotes:
159 ? See Section 301 of Sarbanes-Oxley and Section 10A(m)(2) of the Securities Exchange Act.
160 ? See, e.g., CAQ, 2023 Audit Committee Transparency Barometer (Nov. 2023) ("CAQ Barometer Report") (noting that oversight of the external auditor continues to be at the core of the audit committee's responsibilities).
161 ? See, e.g., Joshua Ronen, Corporate Audits and How to Fix Them, 24 Journal of Economic Perspectives 189 (2010) (explaining that audit committee members are paid by the company and can be dependent on top company management for a variety of benefits, including referrals as a possible member on the board of directors and audit committees of other companies); Liesbeth Bruynseels and Eddy Cardinaels, The Audit Committee: Management Watchdog or Personal Friend of the CEO?, 89 The Accounting Review 113 (2014) (finding that companies whose audit committees have "friendship" ties to the CEO purchase fewer audit services and engage more in earnings management); Cory A. Cassell, Linda A. Myers, Roy Schmardebeck, and Jian Zhou, The Monitoring Effectiveness of Co-Opted Audit Committees, 35 Contemporary Accounting Research 1732, 1733-1734 (2018) (finding that the likelihood of a financial statement misstatement is higher and that absolute discretionary accruals are larger when audit committee co-option, as measured by the proportion of audit committees who joined the board of directors after the current CEO's appointment, is higher); Nathan Berglund, Michelle Draeger, and Mikhail Sterin, Management's Undue Influence over Audit Committee Members: Evidence from Auditor Reporting and Opinion Shopping, 41 Auditing: A Journal of Practice & Theory 49 (2022) (finding that greater management influence over audit committee members is associated with a lower propensity of the auditor to issue a modified going concern opinion to a distressed company under audit and with increased opinion shopping behavior).
As a result of this risk, investors have an important, albeit indirect, role in overseeing the audit firm. Indeed, while the audit committee more directly oversees the firm, most publicly traded companies allow investors to vote on a proposal to ratify the audit committee's appointment of an audit firm. This ratification vote enables investors to demonstrate whether they support the audit committee's appointment of the firm. 162 To inform the appointment ratification vote, audit committee disclosures in annual company proxy statements indicate that some audit committees consider a variety of public and non-public information when appointing their auditor, including public data regarding the candidate firm and its peer firms. 163
Footnotes:
162 ?Voting on a proposal to ratify the appointment of the audit firm is not statutorily required and in many cases the ratification vote is non-binding. However, according to Audit Analytics accessed on Mar. 1, 2024, ratification votes had been held for the year ended in 2023 by 2,802 distinct companies included in the Russell 3000 index, which comports with other estimates that indicate between 80 and 95 percent of companies hold votes on ratification proposals as part of their proxy process. See, e.g., ACAP Final Report, at VIII.20 (finding that 95 percent of S&P 500 companies and 70-80 percent of smaller companies put ratification proposals up for an annual shareholder vote); Lauren M. Cunningham, Auditor Ratification: Can't Get No (Dis)Satisfaction, 31 Accounting Horizons 159, 161 (2017) (finding that more than 90 percent of a sample of Russell 3000 companies voluntarily include an appointment ratification vote on the ballot). The Board notes that broker discretionary voting is permitted on ratification proposals and ratification proposals may be used as a mechanism by some companies to achieve a quorum to conduct an annual meeting as a result of brokers exercising discretionary votes.
163 ? See, e.g., CAQ Barometer Report, at 15-18 (presenting examples of audit committee disclosures that summarize the information the audit committee considered when appointing the audit firm).
[top] Research suggests that investor decisions regarding the appointment ratification vote rely in part on the alignment of the firm's capacity, incentives, and constraints with investor needs regarding the audit. 164
Footnotes:
164 ? See, e.g., Mai Dao, K. Raghunandan, and Dasaratha V. Rama, Shareholder Voting on Auditor Selection, Audit Fees, and Audit Quality, 87 The Accounting Review 149, 168 (2012) (concluding that shareholder votes on proposals to ratify the appointment of an audit firm can be viewed as aligning the firm's incentives more with shareholders than in cases where the audit committee makes the hiring decision without a shareholder vote); Cunningham, Auditor Ratification 174 (noting that proxy advisor guidelines recommend against a proposal to ratify the appointment of a firm if there is information that suggests a conflict between the firm's interests and shareholder interests).
165 ? See, e.g., Suchismita Mishra, K. Raghunandan, and Dasaratha V. Rama, Do Investors' Perceptions Vary with Types of Nonaudit Fees? Evidence from Auditor Ratification Voting, 24 Auditing: A Journal of Practice and Theory 9 (2005) (finding that the SEC's requirement for companies to disclose partitioned information about tax and other non-audit fees paid to a company's independent audit firm had a positive association with the proportion of investor votes against ratification proposals in 2003); Cunningham, Auditor Ratification 174 (noting that proxy advisor guidelines recommend against a proposal to ratify the appointment a firm if non-audit fees exceed the sum of audit fees, audit-related fees, and tax preparation fees). Other research indicates that investors rely on publicly available PCAOB information to make informed appointment ratification decisions. See, e.g., Paul N. Tanyi, Dasaratha V. Rama, and K. Raghunandan, Auditor Tenure Disclosure and Shareholder Ratification Voting, 35 Accounting Horizons 167 (2021) (finding that in the case of companies with long (short) auditor tenure, the proportion of shareholder votes not ratifying the appointment of an auditor increased (decreased) after PCAOB mandated public disclosure of auditor tenure).
166 ? See, e.g., Cunningham, Auditor Ratification, 163 (explaining that proxy advisors are left to rely on publicly available cues about auditor independence and audit quality because SEC DEF 14-A proxy statement disclosures require relatively little information about the audit committee's process for appointing or retaining a specific firm subject to vote). The Board notes that research also indicates that retail investors may not necessarily use information regarding an audit firm in their decisions to vote on a proposal to ratify the appointment of the firm. See, e.g., Cory A. Cassell, Tyler J. Kleppe, and Jonathan E. Shipman, Retail Shareholders and the Efficacy of Proxy Voting: Evidence from Auditor Ratification, 29 Review of Accounting Studies 75 (2024) (finding that appointment ratification votes become less informed- i.e., associated with factors that do not reflect auditor performance-as retail ownership increases).
167 ?While diversified, passive investment funds hold large shares of U.S. companies, non-financial blockholders or insiders may also hold large shares. See, e.g., Amir Amel-Zadeh, Fiona Kasperk, and Martin Schmalz, Mavericks, Universal, and Common Owners-The Largest Shareholders of U.S. Public Firms, available on SSRN: https://ssrn.com/abstract=4219430 (2022) (showing that between 2003-2020 up to one-fifth of the largest U.S. companies had a non-financial blockholder or insider as their largest shareholder). The Board notes that SSRN does not peer review its submissions.
Several commenters affirmed the point made in the proposal and in this release that shareholder voting on a proposal to ratify the appointment of the audit firm is not statutorily required and in many cases the ratification vote is non-binding. One commenter asserted that audit committees are functioning effectively under current rules. The commenter further noted that it is rare for shareholders not to vote in favor of ratifying the audit committee's selection, and opined that this is because shareholders reasonably rely on the audit committee to fulfill their responsibilities and regularly engage with the auditor. One commenter suggested that the required disclosures are an attempt to circumvent the work of audit committees. However, the proposal did not state or intend to suggest that the required disclosures are an attempt to circumvent the work of audit committees, nor is the final rule intended to have such an effect. In contrast, the Board believes the required disclosures will create opportunities to strengthen communication between audit committees and investors and for investors to play a more proactive role in the selection of the audit firm and more proactively and efficiently monitor the work of audit committees. 168
Footnotes:
168 ?Recent trends in investors' votes against appointment ratifications indicate that investors have an interest in playing a more proactive role in the selection of the audit firm. See, e.g., Jennifer Williams, The Morning Ledger: Investor Votes Against Big Companies' Auditors Climbs, Dow Jones Institutional News (June 18, 2024) (noting that 4.3 percent of investors voted against the appointment ratification of S&P 500 companies' auditors through June 3, 2024, more than triple the proportion of a decade earlier and up from 3.7 percent last year, according to Ideagen Audit Analytics).
Several commenters questioned whether the required disclosures will be useful to investors and audit committees. One commenter explained that the audit committee's statutory responsibility to represent the needs of investors and make informed decisions about the appointment and retention of auditors makes it unclear whether increased public disclosures by firms will lead to different investor decision-making. One commenter asserted that the required disclosures are not needed by audit committees in their oversight of auditors or by investors for their voting and investment decisions. The commenter further asserted that audit committees are not asking for the required disclosures and that the required disclosures are not material information for investors' voting or capital allocation decisions. Another commenter suggested that audit committees may find certain of the required disclosures relevant to their oversight of the audit firm and affirmed that audit committees currently have a channel to request and receive the information.
Investor-related groups affirmed the decision-usefulness of the reporting requirements for ratification votes and the election or reelection of audit committee chairs and members as articulated in the proposal. The comments received from investor-related groups suggest that investors have different perspectives than other commenters regarding the usefulness of the required disclosures to investors. For example, the comments from investor-related groups suggest that the information is material enough for investors to use in their ratification votes or in their oversight of audit committees. In addition, one commenter, representing audit committee chairs, asserted that audit committee chairs already receive or have access to most of the mandated information from audit firms. The fact that firms have arranged to provide the information voluntarily to audit committee chairs despite the cost of doing so suggests to the Board that some audit committees do find value in some of the required disclosures and explains why audit committees are not asking for the required disclosures. Moreover, the Board continues to agree that audit committees can request and receive firm information directly from their incumbent auditors and tendering firms, and the Board believes that audit committees will continue to do so for information that is not included in the required disclosures.
[top] One commenter, representing audit committee chairs, questioned whether investors will make use of the required disclosures in their decision-making and asserted that most of the information is rarely, if ever, requested by investors, much less the subject of discussions with investors. However,
One commenter suggested that stakeholders who have recommended additional information or different information from the information already provided in firms' transparency reports and audit quality reports should be asked to describe how similar information is being utilized and, with some level of specificity, what specific information the stakeholders would find incrementally useful, and why. However, the Board does not believe that stakeholders who have recommended additional information or different information from firms' transparency reports or audit quality reports could describe how similar information is being utilized because the additional information or different information is currently not publicly available for the stakeholders to use. Moreover, affirmative comments from investor-related groups suggested that the required disclosures reflect the specific information that investors will find useful.
One commenter asserted that the proposal provided no evidence that audit committees are deficient in obtaining relevant information for purposes of selecting and retaining auditors. However, the proposal did not claim that audit committees are deficient in obtaining relevant information for purposes of their auditor selection and retention decisions. Another commenter asserted that the economic analysis in the proposal appeared to be inappropriately based on a premise that audit committees do not currently receive information that they require to fulfill their fiduciary responsibilities. However, the proposal did not claim that audit committees do not currently receive information that they require to fulfill their fiduciary responsibilities and was not based on this premise. In contrast, the proposal explicitly stated that audit committees can request and receive firm information directly from their incumbent auditors and tendering firms, even though the information lacks standardization. The proposal also explicitly stated that the potential benefits of better-informed selection decisions and monitoring will be reduced to the extent that audit committees request and receive firm information via ad hoc requests from incumbent or tendering firms.
b. Evidence of Persistent Opacity
As described in a section above, the Board collects supplemental information through the PCAOB inspection process. Investors cannot use the information in their decision-making because the information is not publicly disclosed as part of that process. However, some of the information could be useful to inform investors' views of firms.
Two sources suggest that some of the supplemental information collected through the inspection process, and required for disclosure, will be useful to investors. First, the ACAP Final Report? 169 recommends, based in part on investor support, that the PCAOB require each large firm to produce an annual report that includes disclosure of firm operating characteristics such as legal and network structure, governance, partner remuneration policies, and financial information, including audit fees, tax advisory fees, and consulting fees. 170 Moreover, the report recommends that the PCAOB determine which of the characteristics should be required in annual reports of smaller firms, taking into account firm resources. 171 Second, as described in the Background and Key Considerations section, investor-related groups have more recently invoked the ACAP Final Report and suggested that certain firms be required to disclose information regarding firm operating characteristics, such as annual audited financial statements or information about firm governance, leadership, and structure. 172
Footnotes:
169 ?The ACAP included investor leaders among other leaders and was focused on strengthening the audit profession for investor protection. The ACAP considered issues affecting the sustainability of the auditing profession, including human capital, firm structure and finances, and audit market concentration and competition. Most closely related to this rule, the ACAP Final Report recognized on behalf of investors and the public that disclosure of certain firm operating characteristics, including financial and governance information, affect how the firm functions. See ACAP Final Report, at II.2, II.4.
170 ? See ACAP Final Report, at VII.21.
171 ? See ACAP Final Report, at VII.23.
172 ? See, e.g., PCAOB Investor Advisory Group Meeting (June 8, 2022) (suggesting that unimplemented ACAP recommendations be implemented, including information regarding firm governance, leadership, and structure); PCAOB Investor Advisory Group Meeting (Oct. 27, 2016) (discussing the status of ACAP recommendations, including large firm provision of financial statements); Comment No. 35 from the Council of Institutional Investors (Mar. 19, 2020), Rulemaking Docket 046: Quality Control, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/035_cii.pdf?sfvrsn=5ade7257_0, at 7 (suggesting that certain firms be required to provide annual audited financial statements and information about firm governance).
One commenter noted that the Financial Stability Oversight Council (FSOC) was created several years after issuance of the ACAP Final Report, and that recommendations in the ACAP Final Report for the PCAOB to collect information from firms and monitor financial stability or catastrophic risk need to be reconsidered and recalibrated through the lens of subsequent events. The Board agrees with the commenter, and the reporting requirements in the final rule have been developed based on periodic public feedback from stakeholders, as noted above, including public comments received in response to the proposal, since the ACAP Final Report was issued.
One commenter asserted that the proposal seemed to rely on conjecture or assumptions without a broad swath of audit committee or investor input requesting such information. The commenter reported results of a survey of 100 institutional investors? 173 and a survey of 242 audit committee members? 174 that reference the Firm and Engagement Metrics proposal and the Firm Reporting proposal as context to gather perspectives from each stakeholder group regarding the use of standardized firm and engagement information when selecting and monitoring the audit firm.
Footnotes:
173 ? See CAQ Investor Survey.
174 ? See CAQ Audit Committee Survey.
[top] The survey of 100 institutional investor respondents asked about respondents' opinions regarding the board of director's and the audit committee's knowledge to select an audit firm. 175 The results showed that: (i) 40 percent of respondents strongly agreed and 44 percent agreed that boards of directors and audit committees should consider some standard information about auditors when selecting a firm but ultimately rely on their unique needs and knowledge of the company and its industry; (ii) 37 percent of respondents strongly agreed and 51 percent agreed that boards of directors and audit committees are best suited to determine the specific criteria for auditor selection based on their unique business experience and knowledge of the company and its industry; (iii) 34 percent of respondents strongly agreed and 47 percent agreed that mandatory and standardized firm and engagement metrics are necessary for company management and audit committees to uphold fiduciary responsibilities to shareholders; and (iv) 30 percent strongly agreed and 39 percent agreed that boards of directors and audit committees lack access to the information they need to make an
Footnotes:
175 ? See CAQ Investor Survey. The survey question asked, "How strongly do you agree or disagree with the following statements about mandated disclosures of firm and engagement-level metrics?"
The survey of 242 audit committee member respondents asked about respondents' opinions regarding the board of director's and the audit committee's knowledge to select an audit firm. 176 The results showed that: (i) 59 percent of respondents feel that boards of directors and audit committees should consider some standard information about auditors when selecting a firm and performing oversight responsibilities but ultimately rely on their unique needs and knowledge of the company and its industry; (ii) 40 percent of respondents feel that boards of directors and audit committees are best suited to determine the specific criteria for auditor selection and oversight based on their unique business experience and knowledge of the company and its industry; and (iii) 1 percent of respondents feel that boards of directors and audit committees should defer to standardized metrics about auditor performance when selecting and overseeing their auditor. Thus, while a majority of audit committee members surveyed agree that boards of directors and audit committees have the knowledge necessary to select an audit firm, a majority also agree that boards of directors and audit committees should consider some standard information about the audit firm. While the last response appears to identify performance metrics, the Board agrees with the general sentiment of the response that boards of directors and audit committees should not defer solely to standardized metrics, including firm operating characteristics, when selecting and overseeing the audit firm. However, the Board continues to believe that the public availability of some firm operating characteristics will enhance the information environment for investors and audit committees and that standardized information will reduce the time audit committees spend gathering information.
Footnotes:
176 ? See CAQ Audit Committee Survey. The survey question asked, "Which of the following statements most closely matches your opinion about the corporate board's responsibility to select and appoint an auditor?"
The survey of 242 audit committee member respondents also found that 59 percent of respondents feel that the information available to audit committees to fulfill their audit oversight responsibilities and assess the quality of their external auditor at both a firm and engagement level meets all of the audit committee member's needs. 177 In addition, 36 percent of audit committee member respondents feel that the information meets most of the member's needs, 4 percent feel that the information meets some of member's needs, 1 percent feel that the information does not meet some of the member's needs, and none feel that the information does not meet most of the member's needs. 178 Of the 99 audit committee members who answered that the information does not meet all of the member's needs, 15 percent indicated they want additional information about the audit firm, and 8 percent indicated they want additional information about other audit firms. 179 While these results suggest that the vast majority of audit committee member respondents feel they have sufficient information regarding audit firms, the former result ( i.e., 15 percent) suggests that those audit committee member respondents feel that they may lack complete information to fulfill their audit oversight responsibilities and assess the quality of their external auditor, and the latter result ( i.e., 8 percent) suggests that those audit committee member respondents feel that they may lack information to be able to efficiently and effectively evaluate the characteristics of a candidate firm against those of peer firms.
Footnotes:
177 ? See CAQ Audit Committee Survey. The survey question asked, "What is your opinion on the information available to you to fulfill your audit oversight responsibilities and assess the quality of your external auditor at both a firm and engagement level?"
178 ? See CAQ Audit Committee Survey.
179 ? See CAQ Audit Committee Survey. The survey question asked, "What are the top three areas in which you want additional information about your individual audit engagement(s)?"
ii. Lack of Sufficient Incentives To Develop a System of Voluntary Disclosures Regarding Firm Information
The market does not provide audit firms with sufficient incentives to develop an efficient and effective system of standardized voluntary disclosures regarding firm operating characteristics. If market forces do not provide sufficient incentives, then economic theory suggests regulation may be necessary to generate changes in behavior. 180 The Board considers supply-side and demand-side reasons that market forces do not provide sufficient incentives.
Footnotes:
180 ?See, e.g., Christian Leuz and Peter D. Wysocki, The Economics of Disclosure and Financial Reporting Regulation: Evidence and Suggestions for Future Research, 54 Journal of Accounting Research 525 (2016); Anat R. Admati and Paul Pfleiderer, Forcing Firms to Talk: Financial Disclosure Regulation and Externalities, 13 The Review of Financial Studies 479 (2000); Ronald A. Dye, Mandatory Versus Voluntary Disclosures: The Cases of Financial and Real Externalities, 65 The Accounting Review 1 (1990); John C. Coffee, Jr., Market Failure and the Economic Case for a Mandatory Disclosure System, 70 Virginia Law Review 717 (1984).
a. Supply-Side Reasons
Economic theory suggests that high-quality companies have an incentive to voluntarily disclose information to the extent it allows them to differentiate themselves from low-quality competitors. 181 However, there are countervailing forces that limit firms' incentives to develop a system of standardized voluntary disclosures.
Footnotes:
181 ? See, e.g., W. Kip Viscusi, A Note on "Lemons" Markets with Quality Certification, 9 The Bell Journal of Economics 277 (1978).
Firms would incur private coordination costs, such as costs associated with collectively developing and monitoring compliance with a system of standardized voluntary disclosures. If regulation makes the information available in a standardized manner, then the coordination costs would instead be covered by the regulator. Firms may also be deterred by private competitive costs they could incur, such as costs associated with competitors leveraging disclosed information to capture market share. 182 There could also be a status quo bias whereby firms prefer to continue a non-disclosure policy despite investors' calls for additional information. 183
Footnotes:
182 ? See, e.g., Philip G. Berger, Jung Ho Choi, and Sorabh Tomar, Breaking it Down: Economic Consequences of Disaggregated Cost Disclosures, 70 Management Science 1374 (2024) (finding that after a Korean rule change that allowed companies to withhold a previously mandated disaggregation of cost of sales in their income statements, companies' profitability increased because withholding information reduced the transfer of competitive information to peer companies); Oliver Board, Competition and Disclosure, 57 The Journal of Industrial Economics 197 (2009) (finding that companies may be reluctant to voluntarily disclose in competitive markets); Daniel A. Bens, Philip G. Berger, and Steven J. Monahan, Discretionary Disclosure in Financial Reporting: An Examination Comparing Internal Firm Data to Externally Reported Segment Data, 86 The Accounting Review 417 (2011) (finding that companies provide fewer pseudo-segment disclosures due to proprietary costs or competitive concerns).
183 ?There are a variety of reasons why individuals may choose the status quo outcome in lieu of an unknown outcome, including aversion to the uncertainty inherent in moving from the status quo to another option. See, e.g., William Samuelson and Richard Zeckhauser, Status Quo Bias in Decision Making, 1 Journal of Risk and Uncertainty 7 (1988).
[top]
There is also a positive externality associated with the availability of firm information, such as certain governance information. 184 Standardized disclosures across firms and over time would provide benefits to a variety of investors, including current shareholders, potential future shareholders, and investors in other companies. However, firms do not negotiate with all of these parties, and some beneficiaries of the disclosures may have no influence over the firm at all. Economic theory suggests that, in the presence of positive externalities, markets may undersupply goods or services absent any regulatory intervention. 185 As a result, the positive externality may create a risk that the firm would not provide complete information to the market because the firm would not consider the benefits that accrue to all investors.
Footnotes:
184 ? See, e.g., N. Gregory Mankiw, Principles of Economics 200, 201 (6th ed. 2008) ("In the presence of a positive externality, the social value of the good exceeds the private value. The optimal quantity is therefore larger than the equilibrium quantity . . . Positive externalities lead markets to produce a smaller quantity than is socially desirable.").
185 ?See, e.g., Mankiw, Principles of Economics 200, 201.
In addition, investors lack a mechanism to independently validate the information. This information asymmetry creates a risk that the firm could provide inaccurate information. 186 Firms may further be inclined to offer voluntary disclosures for marketing purposes because the disclosures would not be subject to the regulatory review and enforcement that accompanies mandatory disclosures, which could have implications for the overall relevance and quality of the information. Likewise, firms may have incentives to withhold certain information, such as negative information, if the firms perceive that disclosure may damage their reputation or commercial prospects. 187 Thus, voluntary disclosure cmay result in an inefficient disclosure of information to the market and reduce the utility of the information to investors, so much so that a market could fail to exist. 188 Enforcement mechanisms that are available to regulators could be used to ensure the completeness and accuracy of firm information under a mandatory reporting framework.
Footnotes:
186 ? See, e.g., Mankiw, Principles of Economics 468 ("A difference in access to relevant knowledge is called an information asymmetry.").
187 ? See, e.g., Eli Amir, Shai Levi, and Tsafrir Livne, Do Firms Underreport Information on Cyberattacks? Evidence from Capital Markets, 23 Review of Accounting Studies 1177 (2018) (concluding that mangers voluntarily disclose less severe cyberattacks and withhold information from investors regarding cyberattacks that cause greater damage).
188 ? See, e.g., George A. Akerlof, The Market for "Lemons": Quality Uncertainty and the Market Mechanism, 84 The Quarterly Journal of Economics 488 (1970) (discussing how low-quality cars may drive out high-quality cars from the used car market).
b. Demand-Side Reasons
Investors do not directly contract with audit firms and, thus, generally lack bargaining power to request and receive information from the firm. Moreover, gathering standardized information regarding peer firms' operating characteristics would incur significant private costs because that information is also non-public. While investors could seek to acquire information regarding firm characteristics from the company under audit, a free-rider problem exists in which the costs incurred by one or more investors to convince the company to provide such information would not be shared by all other investors. 189 However, all other investors would benefit from the required public disclosure of that information because the information would likely need to be publicly disclosed. 190 Since the investors who incur the costs would not reap the exclusive benefit of their efforts, their incentive to make the effort is lower, and the likelihood of an under-provision of the information by firms is higher.
Footnotes:
189 ? See Mankiw, Principles of Economics 220, 222 ("A free rider is a person who receives the benefit of a good but avoids paying for it . . . A free-rider problem arises when the number of beneficiaries is large and exclusion of any one of them is impossible.").
190 ? See Regulation Fair Disclosure, 17 CFR 243.100(b)(1)(iv).
As discussed above, audit committees are already privy to certain information about their auditors beyond what is publicly available. However, even if the audit committee requests information and the information is provided by the firm, the information would be with respect to that firm alone and could lack consistency and comparability with peer firms. Audit committees could also conceivably request and receive information from all tendering firms but obtaining standardized information would be burdensome. Thus, without mandatory disclosure, audit committees also lack context to be able to efficiently and effectively evaluate the characteristics of a candidate firm against those of peer firms. 191
Footnotes:
191 ?As noted above, the CAQ Audit Committee Survey indicated that approximately 15 out of 99 audit committee member respondents indicated they want additional information about the audit firm, and 8 indicated they want additional information about other audit firms.
c. Evidence of Ineffective Voluntary Disclosures by Firms
As described above, some audit firms disclose certain firm information through voluntary transparency reports. While firms that provide voluntary transparency reports are generally larger firms, many smaller firms do not release such reports. Extant academic literature provides mixed evidence as to whether transparency reports are an effective tool for conveying informative disclosures regarding audit quality. 192 Some research also finds that, because the information contained in transparency reports is relatively unregulated, the disclosures and contextual discussion lack standardization across firms or even within firms. 193 A lack of standardization means that the disclosures have limited comparative value, inhibiting their usefulness to investors and audit committees. 194 In addition, the UK Financial Reporting Council has concluded that transparency reports, as they currently exist, are not an effective means of disclosure. 195
Footnotes:
192 ? See, e.g., Rogier Deumes, Caren Schelleman, Heidi Vander Bauwhede, and Ann Vanstraelen, Audit Firm Governance: Do Transparency Reports Reveal Audit Quality?, 31 Auditing: A Journal of Practice & Theory 193, 207-208 (2012) (concluding that current transparency report disclosures required in the European Union do not appear to reveal underlying audit firm quality); Shireenjit K. Johl, Mohammad Badrul Muttakin, Dessalegn Getie Mihret, Samuel Cheung, and Nathan Gioffre, Audit Firm Transparency Disclosures and Audit Quality, 25 International Journal of Auditing 508 (2021) (finding for Australian firms a positive association between governance disclosures and audit quality for large firms but no statistical association for medium and smaller firms).
193 ? See, e.g., Sakshi Girdhar and Kim Klarskov Jeppesen, Practice Variation in Big-4 Transparency Reports, 31 Accounting, Auditing & Accountability Journal 261 (2018) (finding that the content of transparency reports is inconsistent and the transparency reporting practice is not uniform within large-firm networks).
194 ?Similar economic outcomes exist for comparability in financial disclosures, suggesting there may be inherent value and information efficiency benefits generated under uniform disclosure regimes. See, e.g., Bingyi Chen, Ahmet C. Kurt, and Irene Guannan Wang, Accounting Comparability and the Value Relevance of Earnings and Book Value, 31 Journal of Corporate Accounting & Finance 82 (2020).
195 ? See, e.g., Financial Reporting Council, Transparency Reporting: AQR Thematic Review (Sep. 2019) (finding that surveyed investors and audit committee chairs are either unaware of or perceive limited use in audit firm transparency reporting in the UK).
[top] One commenter asserted that the studies cited likely include outdated information because transparency reporting has improved over the past few years and urged the Board to consider more recent transparency reports to evaluate the value of
Footnotes:
196 ? See, e.g., PCAOB Standards and Emerging Issues Advisory Group Meeting (Nov. 2, 2022) (suggesting that investors do not read firm-level reports or know the reports exist because the reports do not provide enough quantitative information that facilitates investors' efforts to measure audit quality across firms).
While the Board notes that the comments made by investor representatives regarding investors' awareness of information that firms are already providing were made in the context of firm and engagement metrics, rather than the Firm Reporting rule, the Board also notes that firms' transparency reports and audit quality reports do contain some content that is related to the Firm Reporting rule. As explained in the proposal and in this release, the PCAOB staff considered the most recent transparency reports of the largest audit firms. The PCAOB staff reviewed the transparency reports and the audit quality reports of the six largest firms with the scope of the Firm Reporting rule in mind. The content of the reports includes some information that is within scope of the Firm Reporting rule, such as high-level summaries of revenue and general information regarding governance and legal structure, networks, and quality control policies and procedures. However, the transparency reports and audit quality reports lack specificity for each of the Firm Reporting disclosure areas and, thus, lack standardization and comparability across audit firms because of their voluntary nature and lack of coordination across firms. In addition, the content of some transparency reports and audit quality reports is not as concise as Form 2 required disclosures and includes information that is not within scope of the Firm Reporting rule-such as human capital investments, independence policies, ethics principles, and PCAOB inspection summaries-and are thus not as focused as Form 2 required disclosures.
iii. Statutory Oversight
PCAOB staff experience indicates instances of incomplete, imperfect, or untimely information- i.e., information that is not requested, not reported, or reported inaccurately, inconsistently or without sufficient detail-regarding certain events at firms, which could impair the Board's ability to perform its statutory oversight function as it relates to emerging risks associated with the events. The following paragraphs discuss four instances of incomplete, imperfect, or untimely information.
First, voluntary ad hoc reporting by firms to the PCAOB indicates that the current PCAOB reporting framework lacks specificity regarding certain events, such as financial constraints, mergers, or changes in governance. In some cases, such as insolvency or market consolidation, certain events could have implications for audit quality or the audit market. 197 In addition, certain events could affect a company's relationship with the audit firm, such as changes in the firm's ownership or arrangements with third parties that could impact the quality of the firm's provision of audit services. For example, private equity investment in a firm could have implications for the firm's independence, the approach the firm takes for making decisions, or the allocation of resources to the firm's provision of audit services. 198 As a result, the Board may not have a complete picture of the firm's incentives or constraints, which could potentially negatively affect audit quality or the audit market.
Footnotes:
197 ? See, e.g., Joseph Gerakos and Chad Syverson, Competition in the Audit Market: Policy Implications, 53 Journal of Accounting Research 725 (2015) (finding evidence that the exit of any of the largest firms would result in a loss of welfare and an increase in audit fees for public companies). One commenter affirmed that this finding relates to the largest firms and asserted that the finding therefore does not justify requiring all registered firms to provide the information. The Board agrees that the finding relates to the largest firms and that the study is cited as a single example of an event that could have implications for audit quality or the audit market. Examples of other events, such as private equity investment in an audit firm, which is subsequently noted, are relevant for more than just the largest firms.
198 ? See, e.g., Andrew Kenney, Private Equity Eyes Accounting Firms Large and Small, Journal of Accountancy (Feb. 1, 2023) (explaining that private equity investment could have implications for firm independence, decision-making processes, and use of technology and other resources); Jonathan Levin and Steven Tadelis, Profit Sharing and the Role of Professional Partnerships, 120 The Quarterly Journal of Economics 131, 163 (2005) (providing a theoretical model that demonstrates that in markets where clients of professional service providers cannot observe quality, partnerships emerge as a desirable form of organization because hiring is more selective than in profit-maximizing corporations).
Second, without special reporting specified for significant cybersecurity incidents, the Board may not be timely notified of incidents that could impact audit quality or the audit market. 199 The consequences of a significant cybersecurity incident at an audit firm include inadvertent exposure of companies' confidential data that could lead to inappropriate use of the data by third parties or malicious actors. 200
Footnotes:
199 ?While U.S. states generally have laws regarding companies' obligations to notify individuals of cybersecurity incidents related to personal data, the Board is not aware of similar requirements for business data. For a summary of states' notification laws, see, e.g., National Conference of State Legislatures, available at https://www.ncsl.org/technology-and-communication/security-breach-notification-laws.
200 ? See, e.g., Vernon J. Richardson, Rodney E. Smith, and Marcia Weidenmier Watson, Much Ado about Nothing: The (Lack of) Economic Impact of Data Privacy Breaches, 33 Journal of Information Systems 227, 249 (2019) (finding that the costs of a data breach at a target company can spill over from the initial target to individuals and economically linked companies).
Third, without confidential reporting of the largest firms' financial statements, including revenue and operating income delineated by service line, the Board may not have information readily available to assess a firm's wherewithal to withstand risks associated with events such as court judgments against the firm that could affect audit quality or threats to global networks or other affiliates that may require the firm's support and could affect the provision of audit services. 201 Without financial statements, the Board also misses potential opportunities to understand a firm's financial condition or financial results that may affect audit quality or the provision of audit services.
Footnotes:
201 ? See, e.g., Eric L. Talley, Cataclysmic Liability Risk Among Big Four Auditors, 106 Columbia Law Review 1641 (2006) (concluding that in the wake of the Arthur Anderson collapse it is theoretically possible that, under certain conditions, legal liability could lead to widespread audit industry breakdown, and that even though the empirical pattern of liability exposure around the time of the Arthur Anderson collapse did not appear to be the type that could imperil the entire profession, the future risk of another large firm exiting the market due to legal liability (and ultimately impacting audit quality) appeared to be more than trivial).
[top] The proposal would have required the largest firms to compile financial statements in accordance with an applicable financial reporting framework. Investor-related groups
Footnotes:
202 ? See, e.g., PricewaterhouseCoopers LLP, UK Annual Report 2023, Members' Report and Financial Statements for the Financial Year Ended 30 June 2023 (2023), available at https://www.pwc.co.uk/annualreport/assets/2023/pwc-uk-financial-statements-2023.pdf.
As noted above, U.S. GNFs currently compile financial statements using a variety of frameworks that are generally accrual-based but not in accordance with an applicable financial reporting framework. In response to commenters' concerns regarding the Board's need for financial statements compiled in accordance with an applicable financial reporting framework, the Board has revised the requirement for financial statements to be compiled in accordance with an accrual basis of accounting rather than an applicable financial reporting framework. In addition, the Board has clarified the requirement to delineate, at a minimum, revenue and operating income by service line, which will enable the Board to understand the firm's audit practice in context with the firm's other lines of business as noted in the Discussion of the Reporting Updates section.
Fourth, a 30-day filing deadline for material specified events is not consistent with the increased pace at which information is generated and consumed today, or with advances in automation and processing, given the gravity of material specified events. For example, if a determination has been made that there is substantial doubt about a firm's ability to continue as a going concern, a 30-day time lag may not provide the Board with sufficient notice for appropriate timely follow-up.
The proposal included a provision that would have accelerated the filing deadline for existing specified events from 30 days to 14 days in addition to imposing a 14-day filing deadline for material specified events. Investor-related groups affirmed the need for a 14-day filing deadline. Several commenters questioned the need for a filing deadline shorter than 30 days. One commenter asserted that the only justification provided for the shorter deadline is advances in automation and processing. One firm commenter affirmed that advances in automation and processing are useful to alert firms to events requiring disclosure and noted that the subsequent evaluation of an event is intensely manual. The commenter affirmed that a 14-day filing deadline may be feasible for some events but expressed concern that acceleration will result in errors in Form 3 reporting. Some firms said that automation is not a sufficient reason for a shorter filing deadline because subsequent analysis and evaluation are required after an event is identified, which may require manual internal and external advising to investigate and conclude on an event. One commenter asserted that a 14-day filing deadline will not be sufficient because several people are involved in the process to identify, analyze, and report an event. Some commenters expressed concern that a 14-day filing deadline may not be sufficient for foreign firms because they often need to obtain legal advice about whether an event qualifies for reporting on Form 3. One GNF commenter noted that more than 70 percent of the Form 3 filings by foreign firms in the firm's network relate to legal proceedings required by Part IV (Certain Proceedings) of Form 3. One commenter noted that a 14-day filing deadline may not be sufficient for smaller firms because they have fewer legal and other resources. One firm commenter supported timely reporting of specified events but questioned if there is evidence indicating that the 30-day timeline was insufficient or detrimental. A few other commenters also questioned whether there is evidence to suggest there is a need to shorten the filing deadline from 30 days to 14 days.
While commenters focused on limitations of advances in automation and processing, the proposal and this section of the release explain that the need for a shorter filing deadline also arises from the increased pace at which information is generated and consumed today. For example, the Board has become aware of events at firms through means other than Form 3 prior to the 30-day filing deadline. In addition, some firms have demonstrated an ability to file Form 3 within a 14-day period as explained above. Nevertheless, as explained in Discussion of the Reporting Updates section, the final rule applies the 14-day filing deadline only to material specified events, rather than to all Form 3 specified events. Moreover, the decision to limit the reporting requirements for material specified events to annually inspected firms will reduce the number of firms subject to the shorter filing deadline for those events.
2. How the Final Rule Addresses the Need
i. Investors and Audit Committees
The final rule enhances transparency of audit firms by mandating public disclosure of firm information-including financial, governance, network, and cybersecurity characteristics-relating to the firm's capacity, incentives, and constraints to provide quality audit services. The final rule thus reduces frictions in the information market discussed above and thereby enhances: (i) audit committees' abilities to efficiently and effectively compare firms in their appointment and monitoring efforts and (ii) investors' abilities to efficiently and effectively compare firms in their decisions to vote on ratification proposals and allocate capital. The final rule requires firms to report standardized information using PCAOB structured forms, further promoting consistency across firms and over time. Collecting standardized information will enhance the usefulness of the information to investors and audit committees by allowing them to more easily compare firms.
ii. Statutory Oversight
[top] The final rule enhances the effectiveness of the Board's statutory oversight related to audit firms and the
Economic Impacts
This section discusses the expected benefits and costs of the final rule and potential unintended consequences. Several commenters said that the economic analysis does not sufficiently analyze whether the benefits outweigh the costs of the reporting requirements. However, the commenters did not suggest a data source or methodology that allows for a quantitative analysis of all benefits and costs. Investor-related groups asserted that they believe the economic benefits of the proposal exceed the costs. In contrast, several commenters asserted that they believe the economic benefits of the proposal or certain reporting requirements in the proposal do not outweigh the costs. In both cases, commenters did not provide quantification of benefits or costs to support their beliefs regarding the relationship between benefits and costs. This economic analysis separately analyzes benefits and costs, and as stated above, the Board is not able to quantify all relevant benefits and costs due to data limitations.
Several commenters suggested that the PCAOB should consider the cumulative effects of the reporting requirements in this rulemaking along with other rules and standards that have recently been proposed or adopted. One commenter reported results of a survey of audit committee member respondents in which 76 percent of 145 respondents indicated concern about the cumulative impact of PCAOB standard-setting and rulemaking on audit quality and 24 percent indicated no concern. 203 One commenter asserted that clustering effective dates for multiple rules is unreasonable and unworkable. Consistent with long-standing practice based on PCAOB staff guidance for economic analysis, 204 the Board's economic analysis for each rulemaking considers the incremental benefit and costs for a specific rule- i.e., the benefits and costs stemming from that rule compared with the baseline. 205 There could be implementation activities for certain provisions of other PCAOB adopted and SEC approved rules and standards that overlap in time with implementation of the final Firm Reporting rule, which may impose costs on resource constrained firms affected by multiple rules. This may be particularly true for smaller and mid-sized firms with more limited resources. In determining effective dates and implementation periods, the Board considers the benefits of rules as well as the costs of delayed implementation periods and potential overlapping implementation periods. The Board also considers that in some cases, overlapping implementation periods may have benefits because firms will not need to revise or redo previous process or system changes where rules interact with each other. In addition, the Board has adopted phased implementation for smaller firms to give the firms more time to develop and implement the necessary tools to comply with the requirements.
Footnotes:
203 ? See CAQ Audit Committee Survey. The survey question asked, "Do you have concerns about the cumulative impact of PCAOB standard-setting and rulemaking on audit quality?"
204 ? See PCAOB, Staff Guidance on Economic Analysis in PCAOB Standard-Setting (Feb. 14, 2014), available at https://pcaobus.org/oversight/standards/economic-analysis/05152014_guidance.
205 ?Some commenters suggested that implementation of the final Firm Reporting rule should be postponed until post-implementation review ("PIR") of other standards is complete. The Board has an established PIR program under which staff of the Office of Economic and Risk Analysis ("OERA") conduct an analysis of the overall effect of new auditing requirements on key stakeholders in the audit process. In determining whether to conduct a PIR of a new or revised standard, staff consider the nature of the new standard, the feasibility of a PIR, and the potential utility to the Board. The Board expects that OERA staff will consider whether, based on these factors, a PIR may be warranted and, if so, OERA staff will recommend that the Board determine to conduct one. Based on these process considerations for PIRs, the Board decided that postponing implementation of the final Firm Reporting rule will not necessarily inform or improve the final Firm Reporting rule.
1. Benefits
The required disclosures will enhance: (i) audit committees' abilities to efficiently and effectively compare firms in their appointment decisions and monitoring efforts and (ii) investors' abilities to efficiently and effectively compare firms in their ratification decisions and monitoring efforts and in their capital allocation decisions. The required disclosures could also provide indirect benefits linked to audit quality, financial reporting quality, capital market efficiency, and competition. In addition, the required disclosures and confidential reporting will enhance the effectiveness of the Board's statutory oversight function.
In the following discussion, the Board discusses the direct benefits associated with enhancing the information environment regarding firm characteristics. The Board then discusses indirect benefits of the reporting changes. The Board then reviews academic literature related to the required disclosures. Throughout the discussion, The Board assumes that investors and audit committees will use the required disclosures based on their roles described above and that firms will report complete and accurate information based on the Form 2 and Form 3 certification requirements and the regulatory enforcement incentive.
i. Direct Benefits
[top] The required disclosures will enhance transparency and comparability of audit firms to support audit committee and investor decision-making. In addition, the reporting requirements will enhance the effectiveness of the Board's statutory oversight function. The Board notes that the benefits of comparable information have been observed in research regarding financial reporting. 206 The Board also notes that the benefits of prior PCAOB disclosure rules vary by rule and analysis. 207 Although there are differences between financial reporting disclosures and the required disclosures in this disclosure rule and between
Footnotes:
206 ? See, e.g., Mark L. DeFond, Xuesong Hu, Mingyi Hung, and Siqi Li, The Impact of Mandatory IFRS Adoption on Foreign Mutual Fund Ownership: The Role of Comparability, 51 Journal of Accounting and Economics 240, 241 (2011) (finding that greater financial reporting comparability leads to greater investment).
207 ? See, e.g., Interim Analysis Report: Further Evidence on the Initial Impact of Critical Audit Matter Requirements, PCAOB Rel. No. 2022-007 (Dec. 7, 2022), at 4 (suggesting that as of the analysis date investors may still be learning how to find value-relevance in the information content of disclosed critical audit matters); PCAOB, Staff White Paper: Econometric Analysis on the Initial Implementation of CAM Requirements (Oct. 2020), at 4, available at https://pcaobus.org/EconomicAndRiskAnalysis/pir/Documents/Econometric-Analysis-Initial-Implementation-CAM-Requirements.pdf (discussing how PCAOB staff did not find systematic evidence that investors respond to the information contents in critical audit matters but nevertheless did find that some investors are reading critical audit matters and find the information beneficial); Kose John and Min Liu, Does the Disclosure of an Audit Engagement Partner's Name Improve the Audit Quality? A Difference-in-difference Analysis, 14 Journal of Risk and Financial Management 1 (2021) (suggesting that there was an increase in audit quality and audits costs as a result of PCAOB Rule 3211, Auditor Reporting of Certain Audit Participants ); Lauren M. Cunningham, Chan Li, Sarah E. Stein, and Nicole S. Wright, What's in a Name? Initial Evidence of US Audit Partner Identification Using Difference-in-Differences Analyses, 94 The Accounting Review 139 (2019) (finding evidence that any immediate impact of PCAOB Rule 3211 on audit quality or audit fees is limited to specific dimensions of audit quality, specific control groups, and/or specific company characteristics).
Several commenters expressed doubt about the comparability of the required disclosures. One firm commenter suggested that the qualitative and narrative nature of most of the required disclosures does not lend itself to meaningful comparisons. Another firm commenter suggested that audit firms vary significantly in size and structure, making it difficult to achieve meaningful comparisons. Another commenter, representing smaller firms, noted that an audit firm with a small issuer portfolio will be required to compile information regarding the firm's entire audit practice and questioned whether there will be any basis for comparison to other audit firms given the potentially significant differences in the makeup of the firm's audit practice. While the Board agrees that qualitative and narrative disclosures may pose some limitations on comparability, the Board believes that comparability even of qualitative and narrative disclosures is enhanced by standardized reporting requirements, especially to the extent that qualitative and narrative disclosures provide useful context for users. The Board also agrees that comparability may likely be most meaningful among firms of the same size class or among firms with similar sized issuer portfolios. However, the Board believes that differences among firms do not diminish meaningful comparisons but rather enable users to distinguish one firm from another.
a. Investors and Audit Committees
The required disclosures will facilitate better-informed appointment decisions and monitoring by audit committees and better-informed appointment ratification decisions and monitoring by investors because the disclosures will enhance audit firm transparency with a cost-effective source of standardized information across firms and over time. To the extent that firm operating characteristics provide investors and audit committees with information to assess a firm's capacity, incentives, and constraints, the required disclosures will serve as a potential resource for more reliable audit committee appointment of the firm and investor ratification of the appointment proposal. 208 To the extent that firm characteristics change following a selection decision, the required disclosures will serve as a potential resource for more reliable periodic monitoring of the firm.
Footnotes:
208 ? See, e.g., Gene M. Grossman and Carl Shapiro, Informative Advertising with Differentiated Products, 51 The Review of Economic Studies 63 (1984) (finding that reduced information frictions can result in improved matching between sellers and buyers).
Audit committees will benefit from the enhanced information by being enabled to more efficiently and effectively review and compare information from peer firms against information from incumbent and tendering firms. Investors will benefit by being enabled to more efficiently and effectively evaluate firms. Market participants that rely on proxy advisors will also likely benefit from the required disclosures as proxy advisors could use the information in their recommendations, which in turn could provide benefits to less-resourced investors.
Mandatory standardized disclosure will enhance the effectiveness and efficiency of comparing firm characteristics across firms and over time. Form 2 provides standardized information with well-defined fields and a structured format that can be made conveniently available for access and use. 209 Standardization of the required disclosures will decrease investors' and audit committees' search costs and monitoring costs. 210 The public availability of the required information via disclosure could also lead the firm to more proactively consider and take actions regarding a company's stake in matters such as the firm's use and protection of the company's data. 211
Footnotes:
209 ? See, e.g., Luigi Zingales, The Future of Securities Regulation, 47 Journal of Accounting Research 391, 395 (2009) (concluding that a more subtle benefit of disclosure regulation is the standardization it entails); Jeffrey R. Kling, Sendhil Mullainathan, Eldar Shafir, Lee C. Vermeulen, and Marian V. Wrobel, Comparison Friction: Experimental Evidence from Medicare Drug Plans, 127 The Quarterly Journal of Economics 199 (2012) (finding that standardized information better enables individuals to assess tradeoffs and make coherent, rational decisions).
210 ? See, e.g., Zingales, The Future of Securities Regulation 395 (concluding that a company chooses a presentation format that is most favorable to the company's data, which impairs investors' ability to make comparisons across companies); Leuz and Wysocki, The Economics of Disclosure and Financial Reporting Regulation 525 (explaining that the disclosure of operating performance and governance arrangements by public companies can lower the cost of monitoring by providing investors with useful benchmarks that help investors evaluate other companies' managerial efficiency or potential agency conflicts). The Board notes that these studies focus on company disclosures, the results of which may not generalize to audit firms.
211 ? See, e.g., George Loewenstein, Cass R. Sunstein, and Russell Golman, Disclosure: Psychology Changes Everything, 6 Annual Review of Economics 391 (2014) (suggesting that the disclosure of information can have indirect effects that lead to changes in behavior).
Three caveats could attenuate the potential benefits of better-informed selection decisions and monitoring. First, the incremental benefits of the required disclosures for audit committees will be reduced to the extent that audit committees request and receive firm information via ad hoc requests from incumbent or tendering firms. However, by making the disclosures mandatory and standardized, the final rule will increase the accessibility and comparability of publicly available information regarding PCAOB-registered firms. For example, audit committees will be better able to compare an incumbent firm to peer firms. 212 Second, the benefits of better-informed appointment decisions and monitoring could vary depending on the involvement and experience of audit committees. For example, more proactive audit committees with greater firm appointment and monitoring experience may be more likely to use the information than other audit committees. However, audit committees may come to appreciate the accessibility and comparability of the required disclosures through the iterative process of appointing and monitoring firms. Third, to the extent that benefits are derived from the ability to readily switch between firms, the benefits could be reduced by stickiness in existing firm-issuer relationships. In particular, large multinational issuers may, as a practical matter need a GNF, which limits the pool of available alternatives. 213 Therefore, the benefits of better-informed selection decisions and monitoring could be reduced for the largest issuers.
Footnotes:
212 ? See, e.g., CAQ Barometer Report, at 15.
213 ?See United States Government Accountability Office, Continued Concentration in Audit Market for Large Public Companies Does Not Call for Immediate Action (Jan. 8, 2008), at 21.
[top] In addition to assisting investors with their appointment ratification votes and monitoring an audit firm, the required disclosures will assist investors in monitoring and evaluating the audit committee. The audit committee is responsible for overseeing the firm and the required disclosures may assist investors in determining whether the audit committee is effective in this role ( e.g., whether the audit committee continues to delay replacing a firm despite firm information that indicates insufficient capacity or poorly managed incentives and constraints). Enhanced investor monitoring of the audit
Footnotes:
214 ?Some academic research suggests that audit committee effectiveness is associated with audit committee incentives. See, e.g., Jeffrey Cohen, Ganesh Krishnamoorthy, and Arnold M. Wright, The Corporate Governance Mosaic and Financial Reporting Quality, 23 Journal of Accounting Literature 87 (2004) (concluding that personal ties and/or professional ties between the CEO and audit committee members can potentially impair members' objectivity). Some academic research suggests that investors are willing to pay for audit committee effectiveness and hold audit committees accountable for negative audit quality. See, e.g., Ellen Engel, Rachel M. Hayes, and Xue Wang, Audit Committee Compensation and the Demand for Monitoring of the Financial Reporting Process, 49 Journal of Accounting and Economics 136, 138 (2010) (suggesting a willingness by companies to deviate from the historically prevalent one-size-fits-all approach to director pay in response to increased demands on audit committees and differential director expertise); Suraj Srinivasan, Consequences of Financial Reporting Failure for Outside Directors: Evidence from Accounting Restatements and Audit Committee Members, 43 Journal of Accounting Research 291 (2005) (concluding that audit committee members bear reputational costs for financial reporting failure). Some academic research suggests that audit committee members without Big 4 audit experience are more likely to favor auditors that are rated as attractive. See, e.g., Matthew Baugh, Nicholas J. Hallman, and Steven J. Kachelmeier, A Matter of Appearances: How Does Auditing Expertise Benefit Audit Committees When Selecting Auditors?, 39 Contemporary Accounting Research 234 (2022) (concluding that auditing expertise mitigates the influence of superficial considerations in auditor selection, enabling audit committees to fulfill their stewardship role more effectively). Together, this research suggests that audit committee effectiveness could respond to improved investor monitoring. Other research suggests that audit committee effectiveness is positively associated with proxies for audit quality. See, e.g., Brian Bratten, Monika Causholli, and Valbona Sulcaj, Overseeing the External Audit Function: Evidence from Audit Committees' Reported Activities, 41 Auditing: A Journal of Practice & Theory 1 (2022) (finding that the strength of audit committee oversight, as implied by audit committee disclosures, is positively associated with proxies for audit quality).
Some of the required disclosures may not directly reflect a firm's capacity, incentives, and constraints. For example, stronger member networks may not directly translate to more technical resources for some firms or the composition of governing boards and management committees in some firms may not directly reflect accountability or its enforcement. One commenter affirmed this potential limitation and asserted that the reporting requirements do not provide insight into a firm's capacity, incentives, and constraints. However, the Board expects the required disclosures, either individually or taken together with other factors, to enhance the information environment for investors and audit committees. The relevance of the required disclosures to decision-making is evident in academic research. For example, academic research finds that certain audit firm characteristics-including firm size and financial situation, governance and network information, and insurance and litigation history-are used by insurance companies to assess the firm's risk exposure and set premiums. 215
Footnotes:
215 ? See, e.g., Mark Linville and John Thornton, Litigation Risk Factors as Identified by Malpractice Insurance Carriers, 17 The Journal of Applied Business Research 93, 95 (2001) (finding that insurance companies request information regarding audit firm revenue, predecessor firms, types of services provided, location, independence, organizational form, related-party involvement, fiduciary responsibilities, professional sanctions, and insurance and litigation history); Minjung Kang, Ho-Young Lee, Vivek Mande, and Yong-Sang Woo, Audit Firm Attributes and Auditor Litigation Risk, 55 Abacus 639, 641 (2019) (finding that audit firms with operating losses, rapid revenue growth, or no separation between audit and non-audit practices pay higher liability insurance premiums, while firms with a high proportion of partners and higher growth in the number of CPAs employed pay lower insurance premiums).
Investor-related groups said that the required disclosures will provide investors with information they currently do not have access to that can assist them in making more informed decisions about whether to vote to approve a proposal to ratify an audit firm or to elect or reelect an audit committee chair or members, or in exercising their responsibilities for oversight of an audit committee. One commenter expressed agreement that the required disclosures will be an effective means to allow investors and audit committees to evaluate registered firms and the public company audits they provide. Another commenter agreed that some of the required disclosures will provide information useful to audit committees for purposes of contracting with audit firms. One commenter reported results of a survey of audit committee member respondents in which 37 percent of 142 respondents indicated that the reporting requirements will be useful to the audit committee in exercising its oversight role and 63 percent of the respondents indicated the reporting requirements will not be useful. 216
Footnotes:
216 ? See CAQ Audit Committee Survey. The survey question asked, "Are the proposed enhanced reporting requirements in the Firm Reporting proposal useful to the audit committee in exercising its oversight role?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
Several firms or representatives of firms questioned the benefits associated with the required disclosures. One commenter asserted that the potential benefits of the reporting requirements are not adequately correlated with the required disclosures. One commenter noted that the potential direct benefits were presented with caveats indicating possible limitations to their usefulness. Another commenter said that the proposal fell short of identifying how the additional reporting requirements will produce useful and comparable results for investors and audit committees. One commenter asserted that there was a presumption in the proposal that more disclosure is generally beneficial but the presumption is unsubstantiated.
While the Board continues to believe there are caveats and limitations regarding the potential benefits of the reporting requirements, evidence of the potential benefits is provided by academic research cited above and by comments from investor-related groups and surveys conducted of institutional investors and audit committee members discussed in this release. In addition, while the proposal and this release substantiate the benefits of the required disclosures, neither the proposal nor this release have presumed that more disclosure, other than the required disclosures, is generally beneficial. The Board also believes that the potential benefits of some of the required disclosures may vary across investors and audit committees. Comments from investor-related groups suggested that potential benefits associated with the required disclosures will be achieved through better informed decision-making and monitoring efforts. One commenter representing audit committee chairs suggested that audit committee chairs already receive or have access to most of the information that is being mandated, implying that audit committees will realize fewer benefits associated with the required disclosures, as suggested in the proposal. Another commenter suggested that the incremental benefit to audit committees from increased accessibility and comparability of publicly available information regarding PCAOB-registered firms, as noted in the proposal, will be small.
[top] One commenter suggested that the Board should consider the benefits to stakeholders in the companies that smaller firms audit and further explore the benefits of the reporting requirements to stakeholders of smaller public companies as compared to the costs incurred by firms. While the Board separately analyzes costs that will be incurred by firms in a section below, the Board believes that the benefits described above will also accrue to investors of companies that smaller firms audit and investors of smaller public companies. If investors of companies that smaller firms audit or investors of smaller public companies face relatively higher information asymmetry with the audit firm and company management, the benefits
One commenter suggested that not monitoring specific uses of Form 2 and Form 3 compels the Board to rely on broad and unsubstantiated statements regarding benefits. Another commenter said that the proposal identified benefits from disclosure generally but did not clearly and consistently articulate how the required disclosures will reasonably achieve the benefits. The Board agrees that the potential benefits associated with the required disclosures are identified and discussed collectively as a whole or by area of disclosure. However, not monitoring investor and audit committee uses does not imply that investors and audit committees do not utilize current Form 2 and Form 3 data or will not utilize the required disclosures. Results of the surveys conducted of institutional investors and audit committee members, and discussed in a section above, affirm that some institutional investor respondents, and audit committee member respondents to a much lesser extent, do utilize Form 2 and Form 3 information available on the PCAOB website. Moreover, as noted above, comments received from investor-related groups and survey results of audit committee members affirmed the benefits of the required disclosures to both groups.
One commenter asserted that the proposal did not provide evidence that the benefits will be achieved or that less expensive alternatives do not exist. However, in addition to evidence provided by academic research discussed in the proposal and by comments from investor-related groups and surveys conducted of institutional investors and audit committee members discussed in this release, potentially less-expensive alternatives to the reporting requirements were discussed in the proposal and are discussed below in this release. One commenter suggested it is unlikely that investors will gain any meaningful benefits based on the use of static, form-based reporting to collect and disseminate the information ( e.g., reporting of required information on Form 2). Another commenter suggested that the current static PDF format for Form 2 and Form 3 can require readers to page through multiple pages to locate the specific information they are seeking and encouraged the Board to modernize the system to allow users to locate relevant information more quickly and easily. Another commenter encouraged the Board to consider improving the current PCAOB reporting system to facilitate the reporting of information and user access to the information. The Board agrees that the method of collecting and disseminating information facilitates user access to the information, and since the Firm Reporting rule focuses on the content of the required disclosures and confidential reporting rather than how the information is collected and disseminated, the Board focuses on the benefits associated with the decision-usefulness of the required disclosures rather than any benefits associated with how the information is collected and disseminated. Nevertheless, results of the surveys conducted of institutional investors and audit committee members, and discussed in a section above, affirm that institutional investor respondents, and audit committee member respondents to a lesser degree, do utilize Form 2 and Form 3 information available on the PCAOB website.
b. Statutory Oversight
The required disclosures and confidential reporting will enhance the effectiveness of PCAOB's statutory oversight function and operating effectiveness. The required disclosures and confidential reporting will enable the Board to reduce supplemental information collection to the extent that the required reporting overlaps with supplemental information, but supplemental information collection will still be necessary for oversight purposes. Standardization of information will facilitate statutory oversight and will expedite Board efforts to identify regulatory tools and mechanisms in response to potential occasional disruptions in the timely issuance of audit opinions, for example, in the event of the failure of a large audit firm or other circumstances. 217 Enhanced PCAOB oversight will benefit firms and investors through more effective use of inspection resources, more effective standard setting and rulemaking, and better-informed assessments of specified events.
Footnotes:
217 ?See, e.g., Temporary Final Rule and Final Rule: Requirements for Arthur Anderson LLP Auditing Clients, SEC Rel. No. 33-8070 (Mar. 18, 2002).
One commenter asserted that the proposal was unclear about what the PCAOB intends to do with the new information that will be reported. Two commenters asserted that the proposal provided no insights on how the PCAOB will use the information or how the data will inform the PCAOB's processes and activities. However, the proposal discussed and this release in the following paragraphs discuss PCAOB uses of the required disclosures and confidential reporting.
[top] Collecting the required disclosures on Form 2 annually, across firms, will support the PCAOB's efforts to enhance audit quality and protect investors by more effectively planning and scoping inspection selections. 218 One commenter asserted that requiring the disclosures to be collected on Form 2 in order to facilitate effective inspection scoping and planning was a vague and insufficient basis for the reporting requirements because the PCAOB can continue to request information when inspection planning begins. The commenter further asserted that there is no indication or reason to believe that providing the information outside the inspection process further enhances audit quality. However, the section below explains that requiring disclosures outside the inspection process may indirectly enhance audit quality. The required disclosures on Form 2 will also enhance the PCAOB's ability to perform cross-sectional analyses and policy research, which could inform future standard setting and rulemaking. These planning, analyses, and research impacts will be limited by
Footnotes:
218 ? See, e.g., Phillip T. Lamoreaux, Does PCAOB Inspection Access Improve Audit Quality? An Examination of Foreign Firms Listed in the United States, 61 Journal of Accounting and Economics 313 (2016) (finding that auditors subject to PCAOB inspection access provide higher quality audits as measured by more going concern opinions, more reported material weaknesses, and less earnings management, relative to auditors not subject to PCAOB inspection access); Inder K. Khurana, Nathan G. Lundstrom, and K.K. Raman, PCAOB Inspections and the Differential Audit Quality Effect for Big 4 Non-Big 4 US Auditors, 38 Contemporary Accounting Research 376 (2021) (suggesting that initial PCAOB inspections improve audit quality more for the largest firms than for other annually inspected or triennially inspected firms); Albert L. Nagy, PCAOB Quality Control Inspection Reports and Auditor Reputation, 33 Auditing: A Journal of Practice & Theory 87 (2014) (concluding that public disclosure of PCAOB Part II inspection findings leads to a loss of the firm's market share and provides a credible signal of audit quality). The Board notes that the results from these studies that suggest a positive association between PCAOB oversight and audit quality do not necessarily mean that PCAOB oversight causes higher audit quality. These studies merely find positive associations between PCAOB oversight and audit quality.
The required confidential reporting of material specified events and significant cybersecurity incidents on Form 3 and their timely filing deadlines will better position the Board to assess a material specified event or significant cybersecurity incident and share information in a timely manner with the Board's oversight authorities ( i.e., SEC or Congress) to consider any response that may be warranted. 219 One commenter asserted that it is unclear what immediate actions the PCAOB could take in response to an accelerated filing deadline. Another commenter suggested that it is unclear how the PCAOB will utilize certain required disclosures, and the commenter used insurance claims to illustrate there could be confidentiality concerns from the perspective of the insurance company. The commenter further asserted that the reporting requirements will mandate disclosure of a wide range of highly confidential information for an unclear purpose.
Footnotes:
219 ?For examples of events that the Board could potentially assess with more formalized and timely reporting, see, e.g., Mark Maurer, BDO to Establish Employee Stock Ownership Plan as Part of U.S. Restructuring, Wall Street Journal (Aug. 14, 2023); Kenney, Private Equity Eyes Accounting Firms Large and Small; Natalia M. Greene, Private Equity and Auditor Independence, Accounting Today (June 28, 2023).
Beyond sharing information with the Board's oversight authorities, immediate actions, if any, will depend on the nature of the material specified event or significant cybersecurity incident. The PCAOB has resources to turn inspection activities toward emerging risks or events, and timely reporting by firms of material specified events or significant cybersecurity incidents could inform whether to utilize those resources. In addition, the required reporting for events that trigger material claims on insurance policies or other material specified events will be confidentially reported and not publicly disclosed. To the extent that firms are experiencing currently unspecified events that are relevant to effective statutory oversight but not reporting the events to PCAOB on a voluntary ad hoc basis, the firms may lack clarity about what is expected of them. By adding material specified events and significant cybersecurity incidents to Form 3, potential ambiguity will be mitigated, and the effectiveness of PCAOB oversight will be enhanced. Based on the additional coverage of material specified events and significant cybersecurity incidents, the Board anticipates that the numbers of Form 3 filed will likely increase relative to the counts reported in Figure 2 for the 2023 filing year. However, the increase in the numbers of filings related to material specified events will be bounded by the limited scope of the reporting requirement to annually inspected firms.
In combination, the required information collection on Form 2 and Form 3 will inform PCAOB staff's understanding of a firm's operations and financial strength to help the Board assess and share information with the Board's oversight authorities regarding certain developments. For example, in the case of a material financial event that threatens a firm's ability to continue as a going concern or the quality of a firm's audits, reporting of the event on Form 3 will better position the Board to assess and share information with the Board's oversight authorities regarding potential implications for the firm and its issuers. 220 Information reported on the most recent Form 2, such as disaggregated fees, will be useful to determine if the firm's practice is concentrated on a particular client type and assess implications for issuers to find another firm. The information may also prompt the Board to request additional information to further its understanding or to take no action.
Footnotes:
220 ? See, e.g., ACAP Final Report, at VIII.9, which recommends that regulators monitor potential sources of catastrophic risk faced by firms and create a mechanism for the preservation and rehabilitation of troubled larger firms.
The required confidential reporting of the largest firms' financial statements will enable PCAOB staff to assess the operating and financial resources that firms have available in light of the large number of audits and complex audit engagements the firms perform. Requiring firms to compile financial statements in accordance with an accrual basis of accounting will support effective regulatory oversight by facilitating an understanding of a firm's liabilities and obligations that could impact the firm's incentives and constraints to provide quality audit services. Requiring firms to delineate revenue and operating income by service line will enable the Board to understand the firm's audit practice in context with the firm's other lines of business as noted in the Discussion of the Reporting Updates section. The benefits associated with firms' financial statements will be attenuated to the extent that accrual-based financial statements are already received through the inspection process, which as explained in above is the case for U.S. GNFs.
Several commenters suggested that the proposal lacked an explanation of the explicit uses of the financial statements or actions the Board could take based on information in the financial statements. However, the proposal explained that an assessment of resources could aid the Board's understanding of a firm's capacity to withstand risks associated with events such as court judgments against the firm or threats to global networks or other affiliates that may require the firm's support. For example, if there is a threat to a global network affiliate, financial statements could aid PCAOB staff's evaluation of whether the U.S. firm has the operating and financial capacity to provide support to the distressed affiliate in order to preserve the network's ability to perform a multinational audit. The availability of financial statements will also enable the Board to observe detectable unexplained changes in the firm's financial health and decide whether to discuss those changes with firm leadership to understand the circumstances that caused the changes and the potential impact on audit quality.
[top] The failure of a large firm could be broadly consequential if it leads to market disruptions that threaten audit quality. While the required information collection will be useful to enhance the effectiveness of PCAOB oversight for individual firms, some required disclosures or confidential reporting regarding large firms may indicate implications for the broader audit market and the potential impact on audit quality. For example, the failure of a large firm may pose challenges to issuers trying to engage a new firm and could lead to less reliable audits in the short run because remaining firms might be overworked or lack relevant knowledge and resources. While economic theory is inconclusive on the relationship between audit market competition and audit quality, 221 academic research finds that market concentration and audit fees increased after Arthur Anderson's exit from the
Footnotes:
221 ? See, e.g., Yue Pan, Nemit Shroff, and Pengdong Zhang, The Dark Side of Audit Market Competition, 75 Journal of Accounting and Economics 1 (2023) (explaining that greater competition may foster audit process innovation, reduce firm complacency, or strengthen firm reputational incentives to supply high audit quality or that competition may lower audit quality if it leads firms to focus on appeasing clients by reducing professional skepticism and allowing clients excessive financial reporting discretion).
222 ?See, e.g., Emilie R. Feldman, A Basic Quantification of the Competitive Implications of the Demise of Arthur Anderson, 29 Review of Industrial Organization 193 (2006).
223 ?See, e.g., Gerakos and Syverson, Competition in the Audit Market 725.
The PCAOB staff actively engages in research related to the market for assurance services to further the PCAOB's mission, by informing the standard-setting and rulemaking agenda among other uses. In addition to the other benefits, the Board believes that the additional data provided by the final rule will enhance the PCAOB's ability to produce impactful research and recirculate that gained knowledge into improved standards and rules. Relatedly, the Board believes that the required disclosures will provide valuable information sources for the public, including academic research. Improved research quality is an important benefit because quality research contributes to the PCAOB's standard-setting and rulemaking projects, which in turn has the potential to improve capital markets and protect investors. Overall, estimates of the social and economic benefits of more effective regulatory oversight and additional research would be unreliable due to data limitations.
One commenter asserted that the proposal did not explain that the PCAOB makes confidential data available to third-party researchers for their personal research purposes through the PCAOB's Fellowship Program, and the commenter questioned the transparency and integrity of the program. However, the PCAOB maintains a Fellowship Program for interested academics to join the PCAOB as employees, rather than as third-party researchers. 224 PCAOB's academic fellows work with PCAOB staff on PCAOB projects and develop working papers and publishable research on topics relevant to the PCAOB's mission. The academic fellows hired through the program are subject to the PCAOB's ethics code, including confidentiality restrictions therein, and protocols that govern internal review and public dissemination of the resulting research. While the Board approves proposed research topics prior to hiring academic fellows, conclusions reached in working papers and publications solely reflect the views of the authors and are not evaluated or approved by the Board. 225 The commenter also asserted that the PCAOB does not obtain approval from audit firms for use of the firms' confidential data by third parties. However, under Sarbanes-Oxley, the information filed by audit firms is regulatory information, and the PCAOB's use of that information, including use by academic fellows, who are employees of the PCAOB, is consistent with Sarbanes-Oxley.
Footnotes:
224 ?More information regarding the PCAOB Fellowship Program can be found on the PCAOB's website, available at https://pcaobus.org/careers/econfellowship.
225 ?More information regarding working papers and publications developed by academic fellows can be found on the PCAOB's website, available at https://pcaobus.org/resources/information-for-academics/publications-and-workingpapers.
ii. Indirect Benefits
Enhanced transparency of audit firms may prompt some firms to manage their operating characteristics in anticipation of investor and audit committee reactions to the required disclosures. For example, in light of the required governance disclosures, some firms may establish or strengthen governing boards, which will support leadership and promote accountability within the firm. At the margins, some firms may also seek network memberships or initiate more active participation in existing networks, which could strengthen the firms' own technical capacity. In addition, some firms may establish or improve integration of cybersecurity policies and procedures into their risk management systems or engage more third-party specialists to address cybersecurity risks, which could reduce firms' vulnerabilities to cyberattacks and thereby reduce the impacts of future cyberattacks. These indirect benefits will enhance firms' capacities, incentives, and constraints to provide quality audit services.
Firms will also be able to compare their own information against other firms and, thus, better manage their own audit practices. The extent of this benefit will depend on whether the firms already collect information for comparison or benchmarking purposes. Firms that do not currently collect any information will likely benefit more from the required disclosures. One commenter asserted that benefits will not accrue to smaller firms but did not explain why smaller firms may be less inclined to use the required disclosures in this way. The Board believes that firms' uses of the required disclosures may vary across firms. The Board next discusses indirect benefits linked to improved audit quality, financial reporting quality, capital market efficiency, and competition.
a. Improved Audit Quality, Financial Reporting Quality, and Capital Market Efficiency
[top] While the required disclosures will not necessarily have a direct relationship to audit quality, they may enhance audit quality as investors and audit committees iteratively select and monitor firms and advance their understanding of the information content of the required disclosures through communication with firms and evaluation of firm characteristics. 226 Since auditors have a responsibility to provide reasonable assurance about whether financial statements are free of material misstatements, enhanced audit quality could increase the likelihood that the auditor will discover a material misstatement or will qualify its audit opinion when a material misstatement exists and is not corrected by management. If a registrant files with the SEC financial statements that are accompanied by a qualified auditor's report, the filing may be deemed deficient and considered not timely filed. 227 Furthermore, a qualified audit opinion may evoke negative market reactions. For these reasons, enhanced audit quality could incentivize issuers to take steps to ensure their financial statements are free of material misstatements. Issuers could take these steps proactively, prior to the audit, or
Footnotes:
226 ? See, e.g., Dao, et al., Shareholder Voting on Auditor Selection 168 (finding evidence that shareholder involvement in firm selection is associated with higher audit fees and improved audit quality); Mert Erinc and Tzachi Zach, Auditor-Client Compatibility and Audit Quality, available on SSRN: https://ssrn.com/abstract=4703916 (2024) (finding that auditor fit-as measured by a metric that links PCAOB inspection deficiencies to the most critical accounting areas disclosed in 10Ks-is negatively related to restatements, abnormal accruals, and Dechow-Dichev discretionary accruals). The Board notes that SSRN does not peer review its submissions. In principle, iterative selection and monitoring could lead to a reduction in the overall quality of audit services. For example, some issuers may seek lower audit fees at the expense of audit quality. Due to the fact that the required disclosures will be public, the Board believes, in most cases, this would be less likely.
227 ? See, e.g., SEC, Division of Corporation Finance, Financial Reporting Manual, Section 4220 (last updated: 10/30/2020), available at https://www.sec.gov/corpfin/cf-manual/topic-4.
228 ?The Board notes three caveats. First, some theoretical research finds that changes to auditing standards can have counterintuitive effects on audit quality. See, e.g., Marleen Willekens and Dan A. Simunic, Precision in Auditing Standards: Effects on Auditor and Director Liability and the Supply and Demand for Audit Services, 37 Accounting and Business Research 217 (2007) (finding that increased precision in auditing standards can reduce audit quality); Pingyang Gao and Gaoqing Zhang, Auditing Standards, Professional Judgment, and Audit Quality, 94 The Accounting Review 201 (2019) (showing that setting a higher minimum bar can reduce quality). The Board notes that these studies examine the impacts of audit performance standards. By contrast, Firm Reporting is a disclosure rule. The Board is also unaware of empirical evidence that directly tests these theories. Second, the conclusion that financial statements that are free of material misstatements are more useful to investors hinges on the assumption that investors value compliance with the applicable financial reporting framework ( e.g., U.S. GAAP). The various market reactions to restatements that have been documented in academic literature suggests that this is the case. See, e.g., Mark DeFond and Jieying Zhang, A Review of Archival Auditing Research, 58 Journal of Accounting and Economics 275 (2014) (explaining that restatements are one of the most commonly used measures of misstatements in auditing research). Third, the conclusion that improved audit quality will improve financial reporting quality assumes that issuers will not switch to sufficiently lower quality auditors in sufficient numbers as a result of the Firm Reporting rule.
More reliable financial information allows investors to improve the efficiency of their capital allocation decisions ( e.g., investors may more accurately identify companies with the strongest prospects for generating future risk-adjusted returns and reallocate their capital accordingly). 229 Investor confidence in financial reporting quality could also increase and lower investors' perceived risk in capital markets generally, which economic theory suggests can lead to an increase in the supply of capital. 230 An increase in the supply of capital could increase capital formation while also reducing the issuer's cost of capital. 231 A reduction in the cost of capital reflects a welfare gain because investors perceive less risk in capital markets. 232
Footnotes:
229 ?Economic theory suggests that additional information generally improves outcomes in incentive contracts between principals ( e.g., investors) and agents ( e.g., company management). See, e.g., Bengt Holmström, Moral Hazard and Observability, 10 The Bell Journal of Economics 74 (1979) (finding that efficiency improves when contractable information about an agent's performance is available to the agent's principal).
230 ? See, e.g., Richard A. Lambert, Christian Leuz, and Robert E. Verrecchia, Accounting Information, Disclosure, and the Cost of Capital, 45 Journal of Accounting Research 385 (2007) (concluding that improving the quality of accounting disclosures can influence the cost of capital and under certain conditions can unambiguously lower the cost of capital).
231 ? See, e.g., Richard A. Lambert, Christian Leuz, and Robert E. Verrecchia, Information Asymmetry, Information Precision, and the Cost of Capital, 16 Review of Finance 1, 16-18 (2011) (discussing the theoretical link between financial reporting quality and cost of capital).
232 ?Based on results from academic literature, the Firm and Engagement Metrics rule quantifies that a single basis point reduction in the weighted average cost of capital would imply at least $91.6 billion in welfare gains. See Firm and Engagement Metrics, PCAOB Rel. No. 2024-002 (April 9, 2024) for the calculations and related discussion.
One commenter suggested that the required disclosures are unrelated to a company's value creation activities or gauging shareholder returns on investments and, thus, the required disclosures cannot serve to inform investors' decisions to vote on shareholder ratification of the auditor or allocate capital. While the Board agrees that the required disclosures are not directly related to a company's value creation activities or gauging shareholder returns on investments, the Board continues to believe that the required disclosures could serve as an indirect channel for investors to improve the efficiency of their capital allocation decisions as described in the proposal and in this section. In addition, as noted in above, investor-related groups affirmed the decision-usefulness of the required disclosures for ratification votes as articulated in the proposal.
Several commenters agreed that the required disclosures will not necessarily have a direct relationship to audit quality and questioned how the required disclosures will impact audit quality. One commenter asserted that enhanced audit quality through iterative selection and monitoring is not a meaningful benefit because shareholder voting on audit firm appointment ratification is not required under U.S. laws and is generally non-binding. While the direct benefits described in the proposal and above do not depend on audit quality, the Board continues to believe that indirect benefits described in the proposal and in this section, including enhanced audit quality and financial reporting quality, may be derived from a process of iterative selection and monitoring. In addition, the Board noted in the proposal and in this release that shareholder voting on audit firm ratification is not required under U.S. laws and is generally non-binding, but iterative selection and monitoring may include investors iteratively selecting and monitoring audit committee members in addition to investors and audit committees iteratively selecting and monitoring audit firms.
Two commenters suggested that without a direct link to audit quality, the benefits to investors and audit committees are uncertain. While the Board agrees that the caveats and limitations enumerated for the direct benefits described above do generate some uncertainty regarding the direct benefits associated with the required disclosures, the direct benefits to investors, audit committees, and other stakeholders do not depend on improvements to audit quality. As noted above, investor-related groups and audit committee members affirmed the usefulness of the required disclosures.
[top] One commenter suggested that comprehending the relationship between the reporting requirements and audit quality is challenging without a precise definition of audit quality. However, as noted in the proposal and above in this release, audit quality is an abstract concept, and there is no single comprehensive measure of audit quality. Nevertheless, the Board agrees that investors want to maximize audit quality for a given amount of fees they are willing to pay, and a section below summarizes considerations that suggest each of the areas of disclosure will help investors pursue higher audit quality. Another commenter suggested that using an investor's lens to evaluate a firm's financial success does not equate to evaluating a firm's audit quality. However, the Board believes the information that will be publicly disclosed under the reporting requirements will help investors because of the information's relevance to audit quality, as suggested in the section below, rather than financial success per se. Moreover, the required reporting of the largest firms' financial statements is analyzed through a regulatory lens in a section below because financial statements will be reported confidentially to the PCAOB. One commenter asserted that rather than focusing on audit quality, the reporting requirements focus on audit firms providing information to facilitate PCAOB monitoring of audit firm operations and financial stability. While the Board agrees that the reporting requirements will facilitate PCAOB monitoring of audit firm operating and financial characteristics, the purpose of the monitoring is to plan and scope inspections and identify developments that may lead to disruptions in the timely issuance of audit opinions under certain circumstances or lead to audit market disruptions that threaten audit quality.
b. Competition
(1) Capital Market Reactions to Firm Information
As the additional information, context, and perspective regarding audit firms will help investors assess a firm's capacity, incentives, and constraints to provide quality audit services, it will, by extension, help investors assess financial reporting quality. 233 Investors will therefore be able to incorporate the required disclosures into their portfolio selection decisions. 234
Footnotes:
233 ? See above for a discussion regarding the association between audit quality and financial reporting quality.
234 ?There is an extensive body of academic literature suggesting that financial markets incorporate information into securities prices. See, e.g., Eugene F. Fama, Efficient Capital Markets: A Review of Theory and Empirical Work, 25 The Journal of Finance 383 (1970).
Issuers audited by firms whose characteristics capital markets associate with higher financial reporting quality may experience reduced cost of capital or other capital market benefits and investors may reallocate their capital accordingly. Taken in isolation, this could tend to result in a reallocation of capital from issuers with perceived less reliable financial reporting quality to issuers with perceived higher financial reporting quality.
These capital market reactions could provide audit committees with a stronger incentive to appoint an audit firm whose operating characteristics capital markets associate with higher financial reporting quality. These effects could lead to increases in audit fees for firms that experience increased demand for their services. The opposite could result for other firms. Facing capacity constraints, some firms may turn down engagements or recruit additional staff to expand capacity.
(2) Audit Firm Competition
Economic theory suggests that reductions in search costs can lead to increased competition, 235 which may result in lower audit fees or higher audit quality. 236 In the process of selecting a firm, audit committees and investors incur search costs associated with finding information and comparing and evaluating firms. The required disclosures will reduce search costs and provide audit committees and investors with greater insights into which firm could best meet investor needs regarding the audit.
Footnotes:
235 ?See, e.g., Jean Tirole, The Theory of Industrial Organization 294 (1988); Helmut Bester, Bargaining, Search Costs and Equilibrium Price Distributions, 55 The Review of Economic Studies 201 (1988).
236 ?The relationship between increased competition and lower audit fees is well-established. See, e.g., Wieteke Numan and Marleen Willekens, An Empirical Test to Spatial Competition in the Audit Market, 53 Journal of Accounting and Economics 450 (2012); Andrew R. Kitto, The Effects of Non-Big 4 Mergers on Audit Efficiency and Audit Market Competition, 77 Journal of Accounting and Economics 1 (2024). The relationship between increased competition and audit quality is less conclusive. See, e.g., Pan et al., The Dark Side 1; Andrew Kitto, Phillip T. Lamoreaux, and Devin Williams, Do Entry Barriers Allow Low Quality Audit Firms to Enter the Public Company Audit Market? (2023) available on SSRN: https://papers.ssrn.com/abstract=3572688.
Against the backdrop of capital market reactions to the required disclosures and as firms become better able to monetize their reputations, firms will have an incentive to compete on some of the operating characteristics. As described above, some firms may seek to manage their characteristics by establishing or strengthening governing boards, participating more in networks, or integrating cybersecurity policies and procedures into risk management systems. This competitive dynamic will enhance audit quality and, by extension, financial reporting quality. One commenter noted that the audit has become commodified and that firms compete primarily on cost due to a lack of information on audit quality. The commenter explained that this results in audit firms "squeezing" professional staff for productivity.
The Board notes that the benefits linked to competition among audit firms could vary between audits conducted by larger and smaller firms. In particular, the benefits could be reduced for the larger issuer segment of the market because larger issuers have fewer firms available to choose from that are able to perform large, complex audits. 237
Footnotes:
237 ?Economic research identifies three features of the audit market that may impact the market's competitive dynamics: its role in preserving transparency and improving the functioning of capital markets; high degree of mandated demand; and concentrated supply. See, e.g., Gerakos and Syverson, Competition in the Audit Market 725.
iii. Academic Literature Related to the Required Disclosures
In the following discussion, the Board reviews academic research and other considerations related to each of the areas of required disclosures- i.e., financial, governance, network, cybersecurity-and the updated description of QC policies and procedures to consider how the disclosures might function as useful information to enable investors and audit committees to more efficiently and effectively differentiate among individual firms. The Board notes five caveats. First, some of the studies rely on proxies for the required disclosures or use data from foreign jurisdictions. The relevance of the studies is therefore limited to the extent that the proxies are not equivalent to the required disclosures or to the extent that results may not be applicable to the U.S. audit market more generally. Second, while the studies may draw conclusions regarding a particular characteristic's relationship to publicly available proxies for audit quality, this does not imply that the characteristic will provide any new insights to investors and audit committees incremental to the insights already provided by the publicly available proxies for audit quality. Third, those relationships may be too indirect or difficult to fully evaluate. Moreover, the required disclosures will not directly measure audit quality. Audit quality is an abstract concept, and there is no single comprehensive measure of audit quality. Fourth, the Board notes that benefits related to any required disclosure will be reduced to the extent that the same reliable measures are publicly available from other sources. Fifth, benefits related to any required disclosure may vary between larger firms and smaller firms.
[top] One commenter reported results of a survey of 100 institutional investor respondents that indicates 57 percent of respondents feel that the information available to assess the quality of the audit of a publicly traded company meets all of the respondent's needs, 35 percent feel that the information available meets most of the respondent's needs, and 8 percent feel that the information available meets some of the respondent's needs. 238 The commenter also reported survey results regarding the ways that institutional investors evaluate the quality and reliability of the audit of financial statements. 239 Among the top three, 43 percent of respondents chose the auditor's opinion on the financial statements and ICFR, 40 percent chose audit quality reports issued by the audit firm conducting the audit, and 38 percent chose PCAOB inspection reports of the firm performing the audit. The commenter also reported results of a survey of 242 audit committee member respondents regarding the ways they evaluate the quality and reliability of the audit of financial statements. 240 Among the top
Footnotes:
238 ? See CAQ Investor Survey. The survey question asked, "How do you feel about the information available to you to assess the quality of the audit of a publicly traded company you invest in or follow?"
239 ? See CAQ Investor Survey. The survey question asked, "What are the top three ways that you evaluate the quality and reliability of the audit of financial statements of publicly traded companies you invest in or follow? Please choose up to three."
240 ? See CAQ Audit Committee Survey. The survey question asked, "How do you evaluate the quality and reliability of the audit of financial statements of the publicly traded companies for which you sit on the board?"
a. Financial Information
The required disclosures regarding disaggregation of fees will help investors and audit committees assess dimensions of a firm's PCAOB audit practice-such as size, audit versus non-audit focus, or attention to issuer audits versus broker-dealer audits-to determine whether the firm has the technical and operating capacity to perform the audit. The disaggregation of fees will help assess whether the firm may be reliant on revenue from services other than audits in a manner that could influence the firm's independence or decision-making. The revision to the instructions to Form 2 to delete the language permitting foreign registered firms to request confidential treatment of information provided in response to Form 2, Item 3.2 (Fees Billed to Issuer Audit Clients), will remove an accommodation that is extended to foreign registered firms that is not extended to domestic registered firms.
Academic research suggests that audit firm risk profiles can be reasonably assessed by insurers who set premiums for audit firms based, at least in part, on information contained in fees-such as audit practice size or revenue growth. 241 Audit practice size could be determined based on fees, and revenue growth could be calculated from fees reported consistently over time. Moreover, research suggests that the percentage of non-audit fees to total fees billed to audit clients could be used to inform investors' views of firm independence. 242
Footnotes:
241 ? See, e.g., Jeffrey R. Casterella, Kevan L. Jensen, and W. Robert Knechel, Litigation Risk and Audit Firm Characteristics, 29 Auditing: A Journal of Practice & Theory 71, 80 (2010).
242 ?See, e.g., Mishra, et al., Do Investors' Perceptions Vary 9; Cunningham, Auditor Ratification 174.
One commenter asserted that the proposal failed to explain how investors will process expanded fee information and whether such information will be useful or appropriately interpreted. The commenter suggested that the potential benefits of further disaggregation and granularity of fees are uncertain without evidence to support how the required disclosures will be used. Another commenter asserted that the proposal did not provide evidence that the fee information will provide stakeholders with decision-useful information or help them assess a firm's ability to deliver audit services. Two commenters asserted that a more meaningful measure of audit fees is already provided to investors in SEC filings. One commenter asserted that presenting fees in dollar amounts will distract from comparability across firms because of the vast differences in the size of firms serving as issuer and broker-dealer auditors and that presenting fees in dollar amounts will shift focus away from the size of a firm's issuer audit practice to the size of its practice as a whole. Another commenter suggested that comparability of audit fees across firms will be severely limited because of different sizes and operating structures of the firms. Several commenters asserted that the proposal was not clear on how investors and audit committees will use disaggregated fee information about private company audits.
While the Board believes that the uses of the required audit fee disclosures may vary across investors, the academic research cited above suggests how investors may process and use the information. The Board also believes that interpretation of the information may vary across investors and that investors will need to be responsible users of the information. One commenter reported results of a survey of 100 institutional investor respondents in which 37 percent of respondents indicated that expanded fee information will be extremely helpful? 243 and 48 percent of respondents were extremely likely to seek the information out. 244 In addition, audit fees reported in SEC filings reflect fees paid by a specific issuer rather than fees received by a specific audit firm, the latter of which is the focus of the required disclosures. Moreover, the Board agrees that comparability may likely be most meaningful among firms of the same size class, which will be possible with the required disclosures. However, differences among firms do not detract from comparability but rather enable users to distinguish one firm from another. Likewise, the required fee disclosures will enable users to observe the size of the firm's audit practice, the size of the overall firm, or both, depending on the users' interests, but the Board has no reason to believe that reporting both will shift focus away from one or the other. Finally, the final rule eliminates the proposed requirement to provide disaggregated data for audit services billed to non-issuers and non-broker-dealers, which includes private company audits.
Footnotes:
243 ? See CAQ Investor Survey. The survey question asked, "How useful would each of the following firm-level metrics be to you in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
244 ? See CAQ Investor Survey. The survey question asked, "If this information were made public on the PCAOB's website, how likely would you be to proactively seek out the information on the audit firm in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
One commenter explained that a firm with more total fees from audit services may imply more capacity, but the only true measure of capacity is the number of resources that are available and unused. The point raised by the commenter is one of excess resource capacity within a single firm rather than operating capacity between two firms. While the Board agrees that excess resource capacity has informational value, the required disclosure focuses on firm size and operating capacity rather than excess resource capacity.
b. Governance Information
[top] The required disclosures regarding a firm's principal executive officer, executive officers who are responsible for various components of the QC system, governing boards or management committees, and executive officer of the audit practice will provide investors and audit committees with consistent and comparable information to understand incentives at the firm level based on who is responsible for establishing work culture, tone at the top, and mechanisms for accountability. 245 The required
Footnotes:
245 ? See, e.g., Ken Tysiac, Audit Quality Indicators Show Importance of Tone at the Top, Journal of Accountancy (Apr. 21, 2022) (explaining that a firm's tone at the top and appropriate deployment of personnel are among the most important indicators of audit quality, according to an AICPA survey of public accounting firms).
246 ? See, e.g., Henry L. Tosi, Jeffrey P. Katz, Luis R. Gomez-Mejia, Disaggregating the Agency Contract: The Effects of Monitoring, Incentive Alignment, and Term in Office on Agent Decision Making, 40 Academy of Management Journal 584 (1997) (finding that incentive alignment in company governance is a powerful mechanism to ensure agents act in the best interests of principals); Levin and Tadelis, Profit Sharing and the Role of Professional Partnerships 163; IOSCO, Transparency of Firms that Audit Public Companies (Sep. 2009) (explaining that governance, including the organizational structure, of firms is perceived to have a significant influence on audit quality and a firm's ability to continuously provide audit services to the market).
Academic research suggests that stronger governance at U.S. national offices results in improved audit quality for U.S. local offices. 247 In addition, academic research indicates that information contained in governance disclosures required of Australian firms-such as legal and governance structure-is useful to assess audit quality for large firms. 248 Literature also finds that governance disclosures-such as legal structure, ownership, and governance processes-positively affect investor confidence and reduce the cost of capital for some European Union companies. 249 Finally, research suggests that the information contained in European firms' current governance disclosures is of low value and could potentially be resolved through efforts by oversight bodies and the auditing profession to improve information value. 250 Since U.S. institutions differ from other countries and governance measures vary widely across the studies, the results from these studies may not directly relate to all PCAOB-registered firms.
Footnotes:
247 ? See, e.g., Jade Huayu Chen and Preeti Choudhary, The Impact of National Office Governance on Audit Quality (2020), available on SSRN: https://ssrn.com/abstract=3702083 (2020) (finding that closer proximity between a national office and a local office strengthens national office governance through monitoring and knowledge transfer, resulting in improved audit quality at the local office). The Board notes that SSRN does not peer review its submissions.
248 ? See, e.g., Johl, et al., Audit Firm Transparency Disclosures 508. One commenter asserted that the proposal did not discuss evidence from this study that suggests results are not robust to all types of firms. However, the discussion in the proposal, like the discussion here, noted that the result was found for large firms. In addition, the initial citation of the study in the proposal noted that the study found no statistical association between governance disclosures and audit quality for medium and smaller firms.
249 ? See, e.g., La Rosa, et al., Corporate Governance of Audit Firms 19, 30 (finding that the cost of equity of public interest entities in the European Union tends to decrease after the release of audit firm transparency reports as a result of increases in investor confidence).
250 ? See, e.g., Deumes et al., Audit Firm Governance 207-208. One commenter asserted that the proposal did not discuss this study, potentially overstating the benefits of the required disclosures. However, the discussion in the proposal, like the discussion here, included this study. In addition, the initial citation of the study in the proposal noted that the study concluded that current transparency report disclosures required in the European Union do not appear to reveal underlying audit firm quality.
One firm commenter said that the required governance disclosures will provide investors with a view of how an audit firm is structured. Investor-related groups agreed that: (i) the disclosures will inform stakeholders of a governance mechanism they may consider relevant to audit quality, (ii) requiring the information will increase standardization and comparability, and (iii) the reporting of the information may lead to increased engagement between firms and audit committees, investors, and other stakeholders. One firm commenter agreed there could be benefits associated with some of the required governance disclosures but disagreed there are any benefits associated with naming individuals in various roles. Some firm commenters did not support the proposed governance disclosures but expressed that some disclosures could provide more benefits than the disclosures naming individuals in lower ranking roles and the description of the processes governing changes in form of organization. One commenter suggested that identification of all direct reports to the principal executive officer could be interpreted in different ways, which will affect comparability. Another commenter suggested that identification of direct reports to the principal executive officer could decrease the willingness of qualified people to perform roles like the EQCF. One commenter affirmed that the required governance disclosures might improve audit quality but that such improvements may not be meaningful or consequential. Another commenter questioned whether the required governance disclosures will enhance audit quality. One commenter said that the benefits and uses of the required governance disclosures to investors and the public are not clear. Another commenter asserted there is no evidence that different governance practices have a significant impact on audit quality, which may lead users to draw inappropriate conclusions.
While the Board believes that the relevance of some of the required governance disclosures may vary across investors and other users of the information, the final rule does not require firms to name direct reports to the principal executive officer and eliminates the proposed requirement to provide a description of the processes that govern a change in the form of organization. In addition, while the required governance disclosures may indirectly enhance audit quality as described above, the direct benefits described in the proposal and above do not depend on audit quality. Moreover, the Board believes that the benefits and uses of the required governance disclosures may vary across investors and the public, and the comments and academic research cited above suggest how investors and the public may benefit from and use the information. One commenter reported results of a survey of 100 institutional investor respondents in which 36 percent of respondents indicated that governance information will be extremely helpful? 251 and 38 percent of respondents were extremely likely to seek the information out. 252 Finally, the academic research cited above suggests that governance practices may impact audit quality, but even in the absence of a relationship between governance practices and audit quality, users will need to be responsible users of the information to draw appropriate conclusions.
Footnotes:
251 ? See CAQ Investor Survey. The survey question asked, "How useful would each of the following firm-level metrics be to you in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
252 ? See CAQ Investor Survey. The survey question asked, "If this information were made public on the PCAOB's website, how likely would you be to proactively seek out the information on the audit firm in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
c. Network Information
[top] The required disclosures regarding a description of the network structure and the relationship of the registered firm to the network-including whether the registered firm has access to resources such as firm methodologies and training, whether the firm shares information with the network regarding its audits, whether the firm is subject to inspection by the network, and other information the firm considers relevant to understanding how the network relationship relates to its conduct of audits-will provide investors and audit committees with consistent and comparable information to understand
Academic research suggests that information contained in the required network disclosures-such as audit methodologies and technical resources-will be useful to assess audit quality. 253 In addition, research indicates that information regarding a registered firm's relationship to a network and how the relationship relates to the firm's conduct of audits will help assess the firm's capacity to perform an audit. 254 Moreover, research finds that information contained in network disclosures in general will be particularly useful to assess audit quality and fees charged by smaller firms. 255 Since network membership may tend to be chosen by firms that are more inclined to focus on audit quality, the results from these studies may not generalize equally to all PCAOB-registered firms.
Footnotes:
253 ?See, e.g., Juan Mao, Non-Big 6 Audit Firms' Access to External Resources through Inter-Organizational Relationships (IORs): Insights from the PCAOB, University of Texas at San Antonio Working Paper Series WP# 0231ACC (2019) (finding for smaller audit firms that audit quality is improved when the firms have access to audit manuals and technologies through network relationships).
254 ? See, e.g., Bills et al., Small Audit Firm Membership 767 (explaining that smaller firm membership in accounting networks provides the firm with access to expertise and technical trainings among other resources).
255 ? See, e.g., Bills et al., Small Audit Firm Membership 767 (finding that smaller firms that are members of networks have fewer PCAOB inspection deficiencies, fewer financial statement misstatements, and higher audit fees than their non-member peers).
One firm commenter agreed that network arrangements provide a variety of benefits to its members. Some firm commenters asserted that the proposal was unclear regarding the purpose of requiring network information. Some commenters asserted that the proposal was unclear or provided no evidence how the required network disclosures will be useful to investors and audit committees. Another commenter asserted that the proposal did not provide evidence that the required network disclosures will improve stakeholder assessments of a firm's ability to deliver quality audit services but suggested that some disclosures seem more likely to be relevant to stakeholders than other disclosures.
The Board believes that the relevance and usefulness of some of the required network disclosures may vary across investors and audit committees, and the comments and academic research cited above indicate that investors and audit committees will have reason to value the information. In addition, modifying the requirement to focus on the registered firm and the aspects of its relationship with the network that most directly relate to the firm's conduct of audits contributes to the relevance and usefulness of the information. One commenter reported results of a survey of 100 institutional investor respondents in which 35 percent of respondents indicated that network information will be extremely helpful? 256 and 36 percent of respondents were extremely likely to seek the information out. 257
Footnotes:
256 ? See CAQ Investor Survey. The survey question asked, "How useful would each of the following firm-level metrics be to you in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
257 ? See CAQ Investor Survey. The survey question asked, "If this information were made public on the PCAOB's website, how likely would you be to proactively seek out the information on the audit firm in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
d. Cybersecurity Information
The required disclosures regarding integration of cybersecurity policies and procedures into risk management systems, engagement of third parties in relation to cybersecurity risks, and policies and procedures to oversee and identify threats associated with third-party service providers will provide investors and audit committees with information to understand efforts taken to protect an issuer's confidential data. 258 The required disclosures will also facilitate differentiation among firms based on information that could help investors and audit committees assess a firm's vulnerability to cyberattacks, which could impact a firm's operations and ability to continue delivering quality audit services. 259 The Board notes that institutional investors may be more inclined than retail investors to employ resources assessing cybersecurity policies and procedures because of the expertise required. 260
Footnotes:
258 ? See, e.g., Nick Hopkins, Deloitte Hit by Cyberattack Revealing Client's Secret Emails, Guardian (Sep. 25, 2017) (discussing consequences for issuers' data that resulted from a cyberattack at one of the largest firms).
259 ? See, e.g., Patrick Münch, The Importance of Cybersecurity in Accounting, Accounting Today (Feb. 21, 2023) (explaining that accounting firms should regularly evaluate their cybersecurity processes and policies to ensure they are taking full advantage of the latest tools and techniques to protect against cyberattacks). For examples of business operations that have been disrupted by cyberattacks, see, e.g., David E. Sanger, Clifford Krauss, and Nicole Perlroth, Cyberattack Forces a Shutdown of a Top U.S. Pipeline, The New York Times (May 8, 2021); Reuters, Estee Lauder Hit by Cyberattack, Some Business Operations Affected (July 20, 2023).
260 ? See, e.g., PCAOB Investor Advisory Group Meeting (Sep. 26, 2024).
Academic research suggests that information contained in the required disclosures will be useful to assess whether a firm has policies and procedures in place to manage the risk of a potential cyberattack that could impact a firm's reputation, 261 which investors rely on to infer audit quality since they cannot assess quality by casual observation. 262 In addition, research suggests that information contained in a firm's cybersecurity disclosures may help investors more efficiently price an issuer's securities to the extent that they are confident that a firm's policies and procedures provide sufficient protection against a potential cyberattack. 263
Footnotes:
261 ? See, e.g., Barri Litt, Paul Tanyi, and Marcia Weidenmier Watson, Cybersecurity Breach at a Big 4 Accounting Firm: Effects on Auditor Reputation, 37 Journal of Information Systems 2 (2023) (concluding that significant cyberattacks can negatively impact the reputation of any of the largest firms).
262 ? See, e.g., Karen M. Hennes, Andrew J. Leone, and Brian P. Miller, Determinants and Market Consequences of Auditor Dismissals after Accounting Restatements, 89 The Accounting Review 1051, 1055 (2014) (explaining that corporate boards and investors rely heavily on audit firm reputation to infer audit quality).
263 ? See, e.g., Litt et al., Cybersecurity Breach 2 (finding evidence of negative market returns for a large firm's issuer clients after a major cybersecurity incident at the firm was disclosed by a third party); Richardson et al., Much Ado about Nothing 249.
Several commenters supported the disclosure of cybersecurity policies and procedures. One commenter questioned the usefulness of disclosing cybersecurity policies and procedures because of the general nature of the information and more detailed information is part of the PCAOB's inspection requests and is often discussed with audit committees and company management. Another commenter asserted that there is little risk that a cybersecurity incident at an audit firm will impact a company's operations or financial reporting systems because firms are not in possession of a company's intellectual property or a company's personal identifying information. The commenter further asserted that it is unclear how a cybersecurity incident at an audit firm will likely substantially harm investors.
[top] Because investors are not privy to PCAOB inspection requests and may not be privy to an audit firm's discussions with the audit committee or company management, the Board continues to
Footnotes:
264 ? See CAQ Investor Survey. The survey question asked, "How useful would each of the following firm-level metrics be to you in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
265 ? See CAQ Investor Survey. The survey question asked, "If this information were made public on the PCAOB's website, how likely would you be to proactively seek out the information on the audit firm in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
266 ?See, e.g., Litt et al., Cybersecurity Breach 2.
e. Updated Description of QC Policies and Procedures
The required one-time disclosure of a firm's policies and procedures on Form QCPP will enable investors and audit committees to more efficiently understand differences among firms' quality control policies and procedures pursuant to QC 1000 and, thus, help assess a firm's capacity to deliver high-quality audit services for firms that provide audit services. 267
Footnotes:
267 ? See, e.g., Daniel Aobdia, The Economic Consequences of Audit Firms' Quality Control System Deficiencies, 66 Management Science 2883 (2020) (finding a negative association between performance-related quality control deficiencies identified during PCAOB inspections and audit quality).
Some commenters were supportive of firms providing an updated description of their QC policies and procedures and agreed with the benefits that may accrue to investors and audit committees, including increasing transparency. One commenter agreed that updated QC related information may be relevant but believes an update is not necessary because it duplicates the requirements of QC 1000. Another commenter noted, with respect to transparency, there were no specifics in the proposal on how investors and audit committees will evaluate the updated information. The commenter further expressed concern regarding the impact this requirement will have on inactive firms, as these firms will not have investors or audit committees in need of this information.
The required one-time update of a firm's policies and procedures on Form QCPP is unique to the Firm Reporting rule and is limited to firms that registered with the Board prior to the effective date of QC 1000. As suggested in the proposal and in this section, investors and audit committees could evaluate the updated information of one firm against the updated information of another firm to more efficiently understand differences among firms' quality control policies and procedures. One commenter reported results of a survey of 100 institutional investor respondents in which 50 percent of respondents indicated that information about a firm's QC system will be extremely helpful? 268 and 41 percent of respondents were extremely likely to seek the information out. 269 While the Board notes that the survey did not ask specifically about Form QCPP, the Board believes that Form QCPP will provide information about a firm's QC system. While the commenter did not offer a definition of "inactive" firms, the Board agrees that there could be circumstances in which investors and audit committees may not be in need of certain information reported on Form QCPP. However, because QC 1000 extends to all registered firms, the Board does not rule out the possibility that investors or audit committees could have future needs for the information. As noted in the Discussion of the Reporting Updates section, the Board believes that the overall reporting burden is reduced because of the one-time nature of Form QCPP and because the requirement is to summarize matters that firms are required to document under QC 1000. A section below discusses further the alternative of exempting firms from reporting requirements.
Footnotes:
268 ? See CAQ Investor Survey. The survey question asked, "How useful would each of the following firm-level metrics be to you in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
269 ? See CAQ Investor Survey. The survey question asked, "If this information were made public on the PCAOB's website, how likely would you be to proactively seek out the information on the audit firm in evaluating the quality of an audit of a company you invest in or follow?" The Board notes that the survey results could vary based on any differences between the proposed disclosures and the adopted disclosures.
2. Costs
In the following discussion, the Board considers direct and indirect costs related to the final rule. The Board has attempted to quantify costs where possible. However, quantification is generally not reliable due to data limitations, particularly the indirect costs.
• First, firms will incur direct costs developing a reporting infrastructure or updating existing infrastructure.
• Second, firms will incur direct costs complying with the requirements to complete Form 2 and Form 3 and file them with the PCAOB.
• Third, market participants will incur indirect costs updating their decision-making and monitoring frameworks.
• Fourth, there will be indirect costs linked to competition resulting from the reporting requirements.
Costs could be mitigated to the extent that information provided by firms in response to the required reporting changes overlaps with voluntary ad hoc reporting by firms or with supplemental information that firms already report to PCAOB through the inspection process. Firms may either pass their costs on to companies, and ultimately investors, through higher audit fees, or they may choose to absorb costs. Larger firms will be able to take advantage of economies of scale by distributing any fixed costs over a higher number of audit engagements. Smaller firms will distribute any fixed costs over a lower number of audit engagements, which will make implementation relatively more costly for smaller firms. 270 In addition, any increases in audit fees that result from passing costs on to companies could be disproportionately higher for smaller companies that are more likely to engage smaller audit firms. The Board discusses other potential impacts for smaller companies below.
Footnotes:
270 ? See, e.g., Michael Minnis and Nemit Shroff, Why Regulate Private Firm Disclosure and Auditing?, 47 Accounting and Business Research 473, 498-499 (2017) (explaining that increased financial reporting regulation is disproportionately costly for smaller companies because complying with regulation has large fixed costs, and unlike larger companies, smaller companies do not benefit from economies of scale).
[top] Several commenters agreed that the reporting requirements could have a disproportionate cost impact on smaller audit firms, as suggested in the proposal. In addition, some commenters suggested that foreign firms could be disproportionately impacted by costs
i. Direct Costs
a. Firm Infrastructure Costs
Infrastructure includes systems for data collection, reporting processes, controls, and documentation. Firms will likely incur one-time costs related to infrastructure that is necessary to comply with the reporting requirements. There will also likely be some recurring costs to maintain infrastructure. The one-time infrastructure costs will depend on the extent to which firms already have infrastructure in place and will be able to modify the infrastructure to comply with the reporting requirements. Most firms are likely to have some infrastructure in place for existing reporting requirements related to Form 2 and Form 3, as described above, but those systems may require modifications and testing before they can be used to comply with the new reporting requirements. One firm commenter affirmed that the reporting requirements may lead firms to implement new processes and infrastructure.
GNFs and large non-affiliate firms ("NAFs")? 271 may have existing advanced infrastructure and greater capability to modify the infrastructure. Smaller NAFs may need to make larger modifications to existing infrastructure or invest in entirely new infrastructure. Smaller firms may not be able to benefit from economies of scale as they will need to spread fixed costs over fewer audit engagements. 272
Footnotes:
271 ?NAFs are U.S. or non-U.S. accounting firms that are registered with the Board but are not GNFs. Some NAFs belong to international networks other than GNF networks.
272 ? See, e.g., Minnis and Shroff, Why Regulate 498-499.
The costs associated with developing or updating infrastructure will depend on the choice of automated or manual systems. Some firms may find it efficient to automate some or all of their systems, which will likely increase the one-time costs associated with infrastructure. In addition, recurring costs from operating manual systems are likely to be higher as scale increases, which may cause some firms to invest in automated systems.
Infrastructure costs will include any costs associated with training personnel on how to use the systems. Training may be needed for operating activities related to data collection and reporting processes as well as for administrative activities related to documentation and proper control over the systems.
b. Firm Compliance Costs
Compliance activities will include preparation, review, certification, and filing of forms revised by this rule. Firms will incur one-time costs and recurring costs related to compliance with the reporting requirements. The compliance costs will depend on the extent to which firms already engage in compliance activities related to Form 2 and Form 3 and will, thus, be able to modify their existing compliance activities. The relative magnitude of the compliance costs may depend on the size of the firm and whether the firm has chosen manual or automated systems.
GNFs and large NAFs may have existing advanced compliance practices and greater resource flexibility to modify existing compliance practices. Smaller NAFs may face resource constraints that could make modifications to such practices relatively more costly. To the extent that compliance activities include any fixed features, smaller firms may not be able to benefit from economies of scale as they will need to spread fixed costs over fewer audit engagements. 273
Footnotes:
273 ? See, e.g., Minnis and Shroff, Why Regulate 498-499.
Firms will incur personnel costs to prepare, review, and certify their filings, which will contain more information and, for Form 3, may be made more often. Preparation will require additional time associated with drafting narrative disclosures. Review will require additional time to validate expanded information and narrative disclosures and will potentially include more robust legal review. One-time costs for the additional reporting on Form 2 and Form 3 will include training of firm personnel regarding the new reporting requirements. One-time costs for Form QCPP will include gathering and documenting information related to the quality control policies and procedures that have been developed pursuant to QC 1000. Recurring costs for the additional reporting on Form 2 and Form 3 will include compliance activities associated with periodic reporting. There will be no recurring costs for the one-time reporting of policies and procedures on Form QCPP.
The Board expects that the compliance costs associated with the required changes will be most significant for the initial filings because firm personnel will need to familiarize themselves with new reporting requirements and forms. In subsequent reporting periods, the Board anticipates that firms will incur lower costs because of any efficiencies related to the compliance activities already being operationalized. 274
Footnotes:
274 ? See, e.g., PCAOB Rel. No. 2022-007 (finding that auditors of large accelerated filers realized efficiencies in developing and communicating critical audit matters in the second year of implementation, reporting that they generally spent the same or less time on critical audit matters compared to the initial year of implementation).
[top] Commenters generally agreed there will be compliance costs associated with the reporting requirements. One
One commenter said the detailed information required will be unnecessarily onerous for firms of all sizes. The Board believes reporting thresholds and the decision to streamline and clarify certain disclosures as compared to the proposal reduces the burden of the requirements. Several commenters suggested that firms of all sizes will incur substantial costs associated with the granularity and reporting period for fees. As explained in the Discussion of the Reporting Updates section, the final rule streamlines the fee disclosure requirements as compared to the proposal by, for example, eliminating the proposed requirement to provide disaggregated data for audit services billed to non-issuers and non-broker-dealers and the proposed requirement to report fees billed to all clients for each of the four fee categories. Limiting the reporting requirement for fees to actual fee amounts for issuer audit clients- i.e., the numerator and denominator of the current percentage calculations-and actual fee amounts billed to broker-dealer audit clients will mitigate firms' compliance costs associated with reporting fees. One commenter said that the governance disclosures included excessive granularity. As explained in the Discussion of the Reporting Updates section, the final rule streamlines the governance disclosures as compared to the proposal by, for example, eliminating the proposed requirement to name direct reports to the principal executive officer and the proposed requirement to provide a description of the processes that govern a change in the form of organization. One commenter said that the proposal did not sufficiently estimate and balance the costs and benefits-including potential legal or other risks to firms-from network-related disclosures. One commenter characterized the network-related disclosures as costly to assemble. Another commenter noted that reporting network-related financial obligations could impose an administrative burden. While the Board agrees there will be potential costs associated with network-related disclosures, including assembly costs and administrative costs, the Discussion of the Reporting Updates section explains that the final rule simplifies the network-related disclosures by, for example, focusing on the registered firm and aspects of its relationship with the network that mostly directly related to the conduct of audits.
One commenter asserted that the proposal did not sufficiently analyze compliance costs in light of the small incremental benefits to audit committees from increased accessibility and comparability of publicly available information regarding PCAOB-registered firms. However, the commenter did not specify any omitted compliance costs and did not consider in the comment the benefits that will accrue to investors, as noted in the proposal and in this release. The Board also noted previously that the economic analysis separately analyzes benefits and costs.
The compliance costs associated with the required confidential reporting of financial statements will include personnel, technology, and processing costs incurred to compile financial statements in accordance with an accrual basis of accounting and to delineate revenue and operating income by service line. In addition, firms will incur costs to report significant ownership interests, private equity investment, unfunded pension liabilities, and related party transactions. Firms will incur one-time costs to establish reporting processes as well as recurring costs to maintain those processes. Firms will also incur costs to the extent that they maintain two sets of financial records- e.g., one set on an accrual basis and one set in accordance with another basis. The audit firms subject to the confidential financial statement reporting requirement, and any related costs, will be limited to firms that have more than 200 audit reports issued for issuer audit clients and more than 1,000 personnel during a relevant reporting period. PCAOB staff analysis of the reporting threshold found that seven firms, including six U.S. GNFs, currently fall within the reporting threshold. The costs will be mitigated to the extent that firms currently compile financial statements in accordance with an accrual basis of accounting, delineate revenue and operating income by service line, and track significant ownership interests, private equity investment, unfunded pension liabilities, and related party transactions.
The required basis of accounting in the proposal was an applicable financial reporting framework ( e.g., GAAP or IFRS). Commenters generally affirmed that firms would have incurred costs to compile financial statements in accordance with an applicable financial reporting framework. One commenter asserted that the proposal underestimated the nature and extent of the costs to compile financial statements under an alternative basis of accounting. The commenter affirmed that the reporting requirements would have resulted in firms maintaining two sets of financial records, as noted in the proposal. One commenter agreed that costs would have included technology updates as noted in the proposal and suggested that costs would have included collaboration with engagement teams. One commenter said that firms would have had to make significant investments of time and resources to establish reporting processes and would have incurred costs to maintain those processes on an annual basis. The commenter also asserted that investor education would have been necessary to help investors digest information in the financial statements. Two commenters noted that firms would have had to implement new financial reporting processes and controls solely for reporting to the PCAOB. One commenter asserted that compiling financial statements in accordance with an applicable financial reporting framework would have entailed significant time and expense for firms of all sizes and that the costs would have greatly exceeded any perceived regulatory benefits. Some commenters asserted that requiring an applicable financial reporting framework would have reduced incentives for larger audit firms to accept issuer audit engagements or grow their practice to avoid exceeding the reporting thresholds. Some commenters suggested that the proposed extended transition period for providing financial statements would not have provided relief to firms because costs would have been incurred to compile financial statements in accordance with an applicable financial reporting framework in order to comply with the transition reconciliation requirements.
[top] In response to commenters' concerns regarding the costs of compiling financial statements in accordance with an applicable financial reporting framework, the Board has revised the
The Board has retained the proposed requirement to delineate by service line and clarifying that the delineation includes, at a minimum, revenue and operating income. Some commenters noted that requiring delineation by service line will result in additional effort and cost. To the extent that firms do not currently delineate revenue and operating income by service line, the Board agrees that firms will incur costs as explained above. Costs to delineate operating income by service line may include delineating expenses by service line to compile a measure of operating income by service line. However, the Board expects that firms will be able to manage costs associated with delineating revenue and operating income by service line because these activities are closely related to the firms' core competencies.
The compliance costs associated with the required special reporting of material specified events and significant cybersecurity incidents will include costs incurred to identify, monitor, and assess the events that are newly subject to the reporting requirements. The Board anticipates that these costs will be mitigated to the extent that firms already maintain risk management frameworks to actively identify, monitor, and assess events. For example, PCAOB staff observations of the largest firms indicate that those firms already have systems for monitoring and responding to the occurrence of cybersecurity incidents. In addition, the required reporting for the additional specified events is subject to limiting principles-including the materiality threshold and events that affect the provision of audit services-that are intended to scope events to those that warrant reporting. The subsequent costs will depend on the frequency of reportable events. Costs will be mitigated to the extent that reportable events occur infrequently because firms will not be required to file Form 3 in the absence of events. The costs associated with the changes, however, will increase with the frequency of reportable events at firms, including any follow-ups related to reportable events.
Some commenters affirmed that firms will incur costs associated with reporting the material specified events. One commenter said there will be costs associated with establishing new reporting mechanisms. A firm commenter asserted that the proposal significantly underestimated the complexity and cost of the significant expansion of reporting requirements on Form 3 because reporting will require a significant amount of manual coordination among people in several different functions within the firm. The Board continues to believe that firms will incur costs associated with reporting the material specified events, including coordination costs within firms. While the proposal would have imposed the reporting requirements on all firms, the final rule imposes them only on annually inspected firms. Thus, the vast majority of audit firms will not incur costs associated with reporting the material specified events. 275
Footnotes:
275 ?For 2023, there were 14 annually inspected firms. See PCAOB, Spotlight: Staff Update on 2023 Inspection Activities (Aug. 2024).
One firm commenter suggested that the material specified events include matters that firms already raise with PCAOB inspectors and that mandating reporting of the events outside the inspection process will increase costs for firms because firms will have to modify their external reporting systems to capture, evaluate, and submit the information. While the Board continues to believe that the costs of reporting the material specified events will be mitigated to the extent that firms already report the events to the PCAOB through the inspection process, the Board agrees that firms will incur costs to report the material specified events. In addition, the Board believes that more timely reporting of events on Form 3, rather than through potentially less timely inspections, will enhance PCAOB oversight and benefit firms and investors through better-informed regulatory assessment of the events.
The compliance costs associated with the required special reporting of material specified events and significant cybersecurity incidents will also include costs incurred to report within the specified time period. The filing deadline for material specified events is 14 days and for significant cybersecurity incidents is 5 business days. The filing deadline for existing specified events will remain at 30 days. The costs associated with the deadlines for material specified events and significant cybersecurity incidents will include potential processing updates, expedited review, and revised administrative efforts for filings. The costs are likely to be greater for firms that, due to operating circumstances, currently take all of the 30-day period to complete and file Form 3. These firms may have to allocate additional resources-such as in-house personnel or capital investment in automated filing processes-to comply with the shorter deadlines for material specified events and significant cybersecurity incidents. The costs may be mitigated to the extent that firms choose to automate processes, which could be more likely for larger firms, or to the extent that firms already file Form 3 within 14 days after a reportable event, which as noted above was 12.1 percent of specified events reported during the period 2018-2022. Reporting within 14 days is a practice with which audit firms are familiar, as reporting by companies on Form 8-K is generally required by the SEC within four business days after a reportable event.
[top] Several commenters agreed that firms will incur costs associated with shorter Form 3 filing deadlines and suggested that automated processes will not mitigate the costs. One firm said that the internal processes that will need to be developed to gather information and involve the necessary individuals will not be automated. Another firm said that reporting cannot be automated for many of the specified events because the events will require qualitative judgments by teams of people as well as reviews by senior firm leaders. One commenter suggested that firms may incur significant costs to comply because firm management may need to meet with key firm leaders more frequently. A firm commenter suggested there will be costs to establish policies and procedures in a firm's QC system to more frequently monitor events and determine when a reporting obligation is triggered. Another firm commenter
The Board agrees that automated processes will not mitigate costs associated with the analysis and evaluation that are required to manage and respond to an event. However, the Board continues to believe that automated processes may mitigate costs associated with potential processing updates, expedited review, and revised administrative efforts because those activities are amenable to automation. The Board also agrees with the potential disproportionate cost impact on smaller firms but notes that smaller firms may also experience fewer and smaller scale reportable specified events because of their smaller size. In addition, the decision to apply the 14-day filing deadline only to material specified events and the 5-business-day filing deadline to significant cybersecurity incidents, will mitigate costs associated with the filing deadlines. Moreover, the decision to limit the reporting requirements for material specified events to annually inspected firms will reduce the number of firms subject to costs associated with the Form 3 filing deadlines for material specified events.
As discussed in the proposal, the Board considered quantification of the compliance burden that firms will incur to complete the reporting requirements on Form 2 and Form 3 using a methodology similar to the methodology used by federal agencies under the Paperwork Reduction Act (PRA). 276 The methodology requires an estimate of burden hours imposed on respondents. In the case of Form 2 and Form 3, respondents are audit firms. The Board explored five potential options to estimate burden hours. First, the Board considered whether information has already been reported by firms to PCAOB regarding burden hours, but no information regarding burden hours has been reported by firms. Second, the Board explored the availability of burden hours imposed by comparable federal forms but based on the unique nature of Form 2 and Form 3, PCAOB staff was not aware of any comparable federal forms. Third, the Board inquired about PCAOB staff experience working with firms to complete Form 2 and Form 3 to assess the possibility of estimating burden hours based on expert judgment. However, PCAOB staff has not worked directly with firms to complete the forms, and the time burden could vary across firms based on factors such as: (i) the size of a firm's audit practice; (ii) the use of manual or automated processes to complete Form 2; and (iii) the nature and complexity of events reported on Form 3. Fourth, the Board analyzed PCAOB data generated during the filing of Form 2 and Form 3, including length of time to submit the forms calculated from time stamps collected when the forms are first initiated and when the forms are finally filed. The Board concluded that the wide variation in length of time across firms would serve as an indicator of the duration the forms are open but not necessarily firm effort to complete the forms. Finally, the Board considered a survey of firms to directly collect data regarding burden hours and decided to include a question in the proposal.
Footnotes:
276 ? See A Guide to the Paperwork Reduction Act, available at https://pra.digital.gov/burden/estimation.
Several commenters noted that the proposal did not quantify the economic impacts. One commenter noted the explanation in the proposal of the Board's considerations regarding quantification of the compliance burden using a PRA methodology and asserted that the approach is not an appropriate substitute. Another commenter suggested that the PCAOB should undertake a more rigorous economic evaluation that complies with the Paperwork Reduction Act. One commenter expressed that quantification of the economic impacts to the overall capital markets should include consideration of costs incurred by smaller firms and benefits to stakeholders in the companies the smaller firms audit.
The proposal and this release explain the Board's considerations regarding quantification of the compliance burden and the Board's general lack of data to quantify the economic impacts. For compliance costs, the proposal attempted to collect data from stakeholders regarding burden hours to complete Form 2 or Form 3 that could potentially enable quantification using a PRA methodology. The proposal also requested whether commenters were aware of any methodologies, including related studies or data, that could enable quantification of costs or benefits. One commenter affirmed that certain questions in the proposal suggested that the PCAOB expects other parties to provide data. Another commenter noted that audit firms are the best source of data regarding costs. However, commenters did not provide any data regarding burden hours or suggestions where the Board may find data regarding burden hours. Without a reasonably informed estimate of burden hours incurred to complete Form 2 or Form 3, the Board is unable to reliably quantify the compliance burden using a PRA methodology. Moreover, the proposal and this release explain the Board's considerations of the costs incurred by smaller firms and benefits to investors and audit committees, which includes investors and audit committees of companies the smaller firms audit.
One commenter asserted that the lack of quantification is of particular concern because the PCAOB has collected a significant amount of data for inspection purposes. The commenter suggested that PCAOB staff could use data collected in the inspection process to develop anonymized illustrations to demonstrate how the required disclosures and confidential reporting could be used and to estimate the related costs. The proposal and this release note that supplemental information is collected in the inspection process. In addition, the proposal and this release describe investors' and audit committees' uses of the required disclosures as well as PCAOB uses of the confidential reporting, which reflect, in part, PCAOB staff experience with information collected in the PCAOB inspection process. Moreover, PCAOB staff reviewed and considered information collected in the inspection process and concluded that it does not include data or other information that would enhance the Board's description of the uses of the required disclosures or confidential reporting or enable reliable quantification of the economic impacts for the Firm Reporting rule.
ii. Indirect Costs
[top] As discussed above, enhanced transparency of audit firms may prompt some firms to manage their operating characteristics in anticipation of investor and audit committee reactions to the required disclosures. If firms make changes related to their operating characteristics, firms will incur costs. For example, firms will incur costs to establish or strengthen governing boards, seek network membership, and/or more actively participate in networks. Likewise, firms will incur costs to improve integration of cybersecurity policies and procedures into their risk management systems or to hire cybersecurity consultants. Firms will only choose to incur these costs if the firms expect the associated benefits to justify the costs, and costs may be disproportionately higher for smaller firms to the extent that the costs include a fixed component that will be spread
a. Updating Decision-Making and Monitoring Frameworks
Once the required disclosures are available to investors and audit committees, investors and audit committees will incur one-time costs to the extent that they incorporate the new information into their decision-making and monitoring frameworks. In addition, investors and audit committees will incur recurring costs to continually monitor the new information. Additional time and personnel could be required by investors and audit committees as firms' filings increase in length and complexity. Investors may begin to incorporate the new information into their investment decisions or into their evaluation of the firm for their votes regarding the ratification proposal, which may generate costs associated with reviewing information and understanding potential trends. Audit committees may begin to incorporate the new information into their search activities for a firm and into their ongoing monitoring activities. Audit committees may also spend time discussing the new information with the firms, which will cost both audit committees' and the firms' time.
Investors and audit committees will only choose to incur the one-time and recurring costs of incorporating the new information if they expect the associated benefits to justify the costs. Institutional investors may be more inclined than retail investors to incur the costs because of economies of scale.
To the extent that audit firms compare their own information against the information of other firms, the firms will incur costs to monitor their own information and to review and understand their competitors' information. GNFs and large NAFs may be able to deploy more resources for research and understanding the overall market. Smaller NAFs may have fewer resources to fully evaluate the information contained in the new disclosures, and as a result, may incur costs to retain a competitive knowledge base compared to GNFs and large NAFs. Firms will only choose to incur these costs if the firms expect the associated benefits to justify the costs.
b. Competition
As discussed above, the required disclosures may lead audit firms to compete on some of the operating characteristics. Such increased competition could lead some firms to devote more resources to governance efforts, network participation, and cybersecurity risk management.
To the extent that increased competition results in reduced audit fees, it could also reduce profitability for audit firms. Lower audit fees could be particularly costly for smaller firms in light of fixed infrastructure costs and any fixed component of compliance costs that will be spread over fewer audit engagements and further reduce profitability. Although lower audit fees may constitute a cost to firms, lower fees will directly benefit issuers and indirectly benefit investors.
Several commenters noted that the reporting requirements could have competitive impacts on smaller firms. Some commenters suggested that the reporting requirements could reduce competition by driving firms to deregister to avoid the reporting requirements. One commenter suggested that the reporting requirements could significantly increase barriers to entry for smaller firms and increase concentration of firms in the audit market. One commenter expressed concern that the detailed level of reporting requirements could impact the competitiveness of smaller firms. Another commenter suggested that the reporting requirements could affect the ability of smaller and mid-sized firms to compete and possibly lead to higher market concentration.
As noted in the proposal and above in this section, smaller firms could be subject to lower profitability associated with the reporting requirements. The Board also believes that some firms may deregister or otherwise exit the market as discussed in the proposal and below or simply not enter the market, which could lead to higher market concentration for PCAOB audits to the extent that the deregistering or exiting firms performed issuer or broker-dealer audits. However, economic theory is inconclusive on the relationship between audit market competition and audit quality? 277 and between audit market concentration and audit quality. 278
Footnotes:
277 ?See, e.g., Pan, et al., The Dark Side 1.
278 ? See, e.g., Jeff P. Boone, Inder K. Khurana, and K.K. Raman, Audit Market Concentration and Auditor Tolerance for Earnings Management, 29 Contemporary Accounting Research 1171 (2012) (explaining that audit market concentration could limit a company's choice of auditor and foster complacency among auditors, resulting in a more lenient and less skeptical approach to audits and lower service quality, or that audit market concentration could raise audit quality by lowering the need to please a client and by strengthening the auditor's professional values and traditional commitment to the independent watchdog function).
c. Other Indirect Costs
Economic theory suggests that firms may pass on to companies certain costs in the form of higher audit fees. 279 The degree to which increases in variable costs, such as firm compliance costs, are expected to be passed on will vary based on how wide-spread the costs are across competitors. Increases in variable costs that impact all sellers in an imperfectly competitive market are more likely to be passed on than cost increases that impact only a subset of sellers. 280 If costs have a greater impact on a subset of firms, such as smaller firms, those firms may be less inclined to pass on the incremental costs in order to stay competitive with larger firms to the extent that smaller firms compete with larger firms.
Footnotes:
279 ?Economic theory suggests that fixed costs are less likely to be passed on. Only changes to variable costs are generally expected to impact sellers' pricing decisions. See, e.g., Mankiw, Principles of Economics 284, 307 (showing that the profit-maximizing price is a function of marginal cost rather than fixed costs).
280 ? See, e.g., Erich Muehlegger and Richard L. Sweeney, Pass-Through of Own and Rival Cost Shocks: Evidence from the U.S. Fracking Boom, 104 Review of Economics & Statistics 1361 (2022).
[top] One commenter noted that the SEC has various rule requirements and proposed rules for the use of PCAOB-registered and inspected audit firms that apply to entities other than issuers or registered broker-dealers and that the proposal failed to consider the consequences for these entities and the ability of the entities to engage audit firms to comply with the SEC requirements. The commenter provided two examples of SEC rules. 281 One rule was recently vacated? 282 and the other is a proposal. However, the Board agrees that the final rule will indirectly impact entities other than issuers and registered broker-dealers to the extent that the entity is required under SEC rules to obtain an audit from a PCAOB-registered firm or a PCAOB-registered and inspected audit firm? 283 and the
Footnotes:
281 ?See Private Fund Advisers; Documentation of Registered Investment Advisers Compliance Reviews, SEC Rel. No. IA-6383 (Aug. 23, 2023); Safeguarding Advisory Client Assets, 88 FR 14672-14792 (Mar. 9, 2023).
282 ? See National Association of Private Fund Managers v. SEC , 23-60471 U.S. 1 (5th Cir. 2024).
283 ?The SEC has promulgated rules requiring the use of PCAOB-registered or PCAOB-registered and inspected audit firms by entities other than issuers and registered broker-dealers, including certain investment advisers, pooled investment vehicles, security-based swap data repositories, and clearing agencies. See, e.g., 17 CFR 275.206(4)-2 (custody of funds or securities of clients by investment advisors); 17 CFR 240.13n-11 (chief compliance officer of security-based swap data repository; compliance reports and financial reports); 17 CFR 240.17ad-22 (standards and clearing agencies); 17 CFR 240.15c3-1g (conditions for ultimate holding companies of certain brokers and dealers, Appendix G to 17 CFR 240.15c3-1); and 17 CFR 240.18a-1 (net capital requirements for security-based swap dealers for which there is not a prudential regulator).
3. Unintended Consequences
In addition to the benefits and costs discussed above, the final rule could have unintended economic consequences. The following discussion describes potential unintended consequences the Board has considered and, where applicable, any mitigating or countervailing factors.
i. Misinterpretation and Insufficient Context
The required disclosures could be misinterpreted or lack sufficient context and therefore generate unexpected outcomes for market participants. 284 Several commenters questioned whether investors and, to a lesser extent, audit committees might reach inappropriate conclusions without sufficient context for the required disclosures. One commenter suggested that a data dump of information could result in information overload and more liability for audit committees if they do not consider certain information. One commenter said that the governance disclosures may require significant context to be understood. Two commenters asserted that disclosures of certain network-related information is complex and could lead to misinterpretation without sufficient context. Another commenter suggested that providing the required disclosures publicly could undermine the audit committee chair's role because investors will not be privy to the audit firm's conversations with the company's audit committee, and investors will thus be missing contextual information for any evaluation of a firm's disclosures. One commenter reported results of a survey of 100 institutional investor respondents regarding their beliefs about context and found that 42 percent of respondents strongly agreed and 38 percent agreed that firm and engagement-level metrics without context cannot adequately communicate factors relevant to a particular audit engagement or firm. 285
Footnotes:
284 ? See, e.g., Michael Mowchan and Philip M.J. Reckers, The Effect of Form AP on Auditor Liability when Engagement Partner Disclosure Shows a History of Restatements, 35 Accounting Horizons 127 (2021) (finding that jurors' assessments of audit firm liability increase following firms' audit-quality-related interventions designed to address audit failures).
285 ? See CAQ Investor Survey. The survey question asked, "How strongly do you agree or disagree with the following statements about mandated disclosures of firm and engagement-level metrics?"
This potential unintended consequence will be mitigated as investors and audit committees iteratively select and monitor firms and advance their understanding of the information content of the required disclosures. Audit firms will be able to use narrative disclosures to provide context they deem most relevant to facilitate investors' and audit committees' understanding. In addition, investors and audit committees will be able to seek relevant context when necessary in order to avoid misinterpreting the information. For example, lack of context may lead to more targeted communication between audit firms and audit committees and between investors and audit committees to obtain relevant context. Rather than undermining the audit committee chair's role, more targeted communication between investors and audit committees could support the audit committee chair by enhancing the audit committee's effectiveness through accountability to investors. In addition, audit committees may become more transparent regarding their selection decisions and subsequent monitoring in light of a richer information environment and more targeted communication with investors. Moreover, neither the proposal nor the final rule call for a data dump of information, and audit committees will still be able to focus on the information they feel is decision-useful in order to manage any liability. Finally, the Board has refined the required disclosures as compared to the proposal, such as reducing information required for fees and governance, to simplify the required disclosures in response to commenter feedback.
ii. Cybersecurity
As a general matter regarding cybersecurity disclosures, the potential cybersecurity vulnerability of a firm could increase via disclosures of cybersecurity policies and procedures. 286 If cybersecurity disclosures are sufficiently detailed, the disclosures may provide meaningful information to malicious actors to target the firm. Malicious actors could use information from disclosed policies and procedures to target weaker firms. Some firms agreed that there could be potential malicious actors that could use such information in a nefarious manner. Two commenters suggested that cybersecurity policies and procedures should be reported confidentially rather than publicly disclosed to avoid needlessly exposing a firm to potential risks and revealing potential weaknesses in policies and procedures that could be exploited by potential attackers. Another commenter expressed support for high-level disclosure of cybersecurity policies and procedures but was opposed to providing specific information as the commenter believes it could lead to a firm's and an issuer's security being compromised. The Board agrees with these concerns, which is reflected by deeming confidential the special reporting of significant cybersecurity incidents. In addition, this potential unintended consequence will be mitigated by this release's clarification that the requirement is not intended to elicit detailed, sensitive information. The potential unintended consequence will also be mitigated to the extent that a firm decides to enhance its cybersecurity risk management in anticipation of the required disclosures. In addition, academic research that studies cybersecurity vulnerabilities suggests that detailed cybersecurity disclosures do not lead to more attacks. 287 However, the Board notes that findings from the research may not be generalizable to the required cybersecurity disclosures.
Footnotes:
286 ? See, e.g., Roland L. Trope and Sarah Jane Hughes, The SEC Staffs `Cybersecurity Disclosure' Guidance: Will it Help Investors or Cyber-thieves More?, Business Law Today 1, 6 (2011) (concluding that cybersecurity disclosures that are meaningful enough to enable investors to accurately price companies' securities may also contain information of value to cybercriminals seeking to exploit a cybersecurity vulnerability).
287 ? See, e.g., He Li, Won Gyun Non, and Tawei Wang, SEC's Cybersecurity Disclosure Guidance and Disclosed Cybersecurity Risk Factors, 30 International Journal of Accounting Information Systems 40 (2018) (finding that measures of specificity of incidents do not have a statistically significant relation with subsequent cybersecurity incidents); Tawei Wang, Karthik N. Kannan, and Jackie Rees Ulmer, The Association between the Disclosure and the Realization of Information Security Risk Factors, 24 Information Systems Research 201, 215 (2013) (finding that companies that disclose risk-mitigating information are less likely to be associated with cybersecurity incidents).
[top] One commenter suggested that creating a new cybersecurity incident
The Board agrees that the PCAOB cybersecurity incident reporting requirements may create additional reporting requirements that differ from other reporting frameworks. However, as noted in the Discussion of the Reporting Updates section, the Board does not believe there are any known direct conflicts between the additional PCAOB reporting requirements and other reporting frameworks. In addition, the PCAOB reporting requirements for significant cybersecurity incidents are only triggered when a firm has a significant cybersecurity incident rather than on a periodic basis. Moreover, the PCAOB reporting requirements are designed specifically with the protection of investors and the public in mind for the provision of public company audits by PCAOB-registered audit firms, so any additional PCAOB reporting requirements will supplement any gaps in other reporting frameworks. The Board believes that the reporting requirements for significant cybersecurity incidents are not onerous and primarily require general, high-level information regarding the incident. Finally, the required reporting for significant cybersecurity incidents is confidential rather than publicly disclosed, and as described in the Discussion of the Reporting Updates section, the required reporting focuses on "any determined effects of the incident on the firm's operations" rather than assessing ramifications of the incident.
iii. Audit Firms May Exit the Market
Profitability of some firms could be negatively impacted by the costs of the final rule. In addition, firms that are less able to compete on the operating characteristics could lose market share or be forced to lower their audit fees, resulting in strains on their profitability. In some cases, firms that are less able to compete by managing their operating characteristics as described in a section above may be forced to exit the market, thereby reducing the overall capacity of the audit market. This consequence could disproportionately affect smaller firms and the issuers they audit compared to larger firms.
This potential unintended consequence may be mitigated to the extent that more competitive firms in the smaller issuer audit market could expand their market share, perhaps by absorbing additional capacity from exiting firms. 288 This potential unintended consequence will also be mitigated to the extent that the final rule provides accommodation for smaller firms, including reducing the disaggregated information required for fees, exempting smaller firms from confidentially reporting financial statements and material specified events, and adopting phased implementation. 289
Footnotes:
288 ? See, e.g., Jennifer Blouin, Barbara Murray Grein, and Brian R. Rountree, An Analysis of Forced Auditor Change: The Case of Former Arthur Anderson Clients, 82 The Accounting Review 621 (2007) (finding that former Arthur Anderson clients with greater switching costs followed their audit team to a new auditor). The Board notes that this outcome was realized for larger firms and may not be realized for smaller firms.
289 ?The Board also considered that limiting the reporting requirements for material specified events to annually inspected firms could reduce incentives for audit firms near the 100-issuer reporting threshold to accept issuer audit engagements or grow their practice to avoid exceeding the threshold. Staff analysis of signed public company audit opinions indicate that, during the 2023 calendar year, the number of firms near the threshold included two U.S. NAFs that signed between 80 and 100 opinions and two U.S. NAFs that signed between 100 and 120 opinions. The Board concludes that there currently appear to be few audit firms near the threshold.
Several commenters noted the potential unintended consequence that audit firms may exit the market. One commenter suggested that over-regulating can have a detrimental effect on the ability of smaller and mid-sized firms to practice within the public company audit market. Some firm commenters asserted that the more regulatory costs that are imposed on firms, the more likely smaller and mid-sized firms will opt out of participating in the issuer and broker-dealer audit market. One commenter claimed that they have observed smaller firms exiting the public company audit market due to increasing difficulties complying with PCAOB reporting requirements. As noted in the proposal and in this release, the Board agrees there is a potential unintended consequence that audit firms may exit the market as a result of the reporting requirements.
[top] One commenter cited an academic study that found no evidence that smaller firms that exited the market for SEC client audits following the introduction of Sarbanes-Oxley in 2002 were of lower quality than successor smaller firms that did not exit the market, suggesting that if smaller firms exit the public company audit market for reasons other than inability to provide high quality audit services, audit quality could be negatively affected. 290 The Board believes the commenter implies that issuers or broker-dealers may not necessarily obtain a higher quality audit after switching to a new auditor that has remained in the market. The academic study cited by the commenter acknowledges that prior research using other audit quality proxies finds the opposite result- i.e., exiting firms indeed have lower audit quality. 291 Firm size is a widely accepted proxy for audit quality, 292 and PCAOB oversight activities indicate that noncompliance with auditing standards is higher among triennially-inspected NAFs. 293 Therefore, to the extent that smaller firms tend to exit rather than larger firms, as commenters contend, then audit quality could improve on average as issuers and broker-dealers switch to larger firms. The Board notes there is currently some debate on the extent to which the large-firm audit quality effect is driven by correlated issuer characteristics rather than auditor
Footnotes:
290 ?See Neil L. Fargher, Alicia Jiang, and Yangxin Yu, Further Evidence on the Effect of Regulation on the Exit of Small Auditors from the Audit Market and Resulting Audit Quality, 37 Auditing: A Journal of Practice & Theory 95 (2018).
291 ? See Mark L. DeFond and Clive S. Lennox, The Effect of SOX on Small Auditor Exits and Audit Quality, 52 Journal of Accounting and Economics 21 (2011).
292 ?See, e.g., DeFond and Zhang, A Review of Archival Auditing Research 275.
293 ?See, e.g., PCAOB, Spotlight: Staff Update on 2023 Inspection Activities (Aug. 2024), available at https://pcaobus.org/resources/staff-publications; A Firm's System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 2024-005 (May 13, 2024), at Figure 1.
294 ? See, e.g., Alastair Lawrence, Miguel Minutti-Meza, and Ping Zhang, Can Big 4 Versus non-Big 4 Differences in Audit-Quality Proxies be Attributed to Client Characteristics?, 86 The Accounting Review 259 (2011); Mark DeFond, David H. Erkens, and Jieying Zhang, Do Client Characteristics Really Drive the Big N Audit Quality Effect? New Evidence from Propensity Score Matching, 63 Management Science 3628 (2017).
One commenter asserted that scores of firms have voluntarily exited the public company audit market based on strategic decisions in which the firms weighed the increasing costs of continued PCAOB registration against potential benefits. The commenter cited research that documents approximately 60 percent of small PCAOB registered audit firms deregistered during the period 2003-2018. 295 However, the research found that firms experiencing more lawsuits and receiving more negative signals of audit quality through PCAOB inspections and enforcement are more likely to deregister, while there was no evidence that new PCAOB disclosure rules for Form 2, Form 3, and Form AP, which became effective during the test period, incentivized deregistration. 296
Footnotes:
295 ? See Michael Ettredge, Juan Mao, and Mary S. Stone, Small Audit Firms' Public Market Exits, Business Model Changes, and Market Consequences, available on SSRN: https://ssrn.com/abstract=4737583 (2024). The Board notes that SSRN does not peer review its submissions.
296 ? See Ettredge, et al., Small Audit Firms' Public Market Exits (concluding that results for three regulatory shocks-Form 2/Form 3, Form AP, and broker-dealer registrations-suggest that the costs to smaller audit firms of complying with new PCAOB regulations were not large enough to sway the deregistration decisions of firms with public company clients and SEC-registered broker-dealer clients).
One commenter claimed based on survey results that the cost burden will likely accelerate the exit of smaller and mid-sized firms from the public company audit market. While the comment letter was submitted to both the Firm and Engagement Metrics docket and the Firm Reporting docket, 297 the survey appears to have been conducted solely for the Firm and Engagement Metrics proposal. 298 While the Board notes the point raised by the commenters regarding potential market exit as a result of cost burden, the commenter provided no information that would help assess the significance of potentially exiting firms to the overall audit market. In addition, the commenter provided little detail on how the survey was performed to understand whether the results could be generalized to the Firm Reporting rule.
Footnotes:
297 ? See Firm and Engagement Metrics, PCAOB Rel. No. 2024-002 (Apr. 9, 2024).
298 ?The comment letter noted that the survey asked, "If the 11 metrics proposal is adopted, what impact would this have on your firm's interest in continuing to do public company auditing?" Of the survey responses provided in the comment letter, 6 percent responded they would definitely get out of the public company market, 17 percent responded they would strongly consider getting out of the public company market, 28 percent responded they would consider getting out of the public company market, 25 percent responded they would eliminate or manage their client base of accelerated filers and large accelerated filers, and 25 percent responded they intend to stay in the public company market for the foreseeable future.
iv. Smaller Companies
Several commenters noted a potential unintended consequence for smaller companies to have less incentive to go public or remain public. One commenter suggested that the exit of smaller audit firms and higher costs for remaining firms can result in higher costs to smaller private companies, deterring them from going public. One commenter suggested that the proposal failed to address the effects of the reporting requirements on initial public offerings (IPOs) and going-private activities. One commenter suggested that fewer smaller audit firms and higher audit fees will strain new capital formation and move investors toward private equity investments that are not available to many investors. Another commenter, representing smaller and mid-sized firms, asserted that rising costs of regulation increases the likelihood that smaller companies either go private or are deterred from entering capital markets. The commenter cited an SEC report that shows in 2022, the number of exchange-listed IPOs dropped to its lowest point since 2009. 299 The commenter also explained that the SEC report noted that smaller public companies and new public companies face disproportionately high regulatory costs and that smaller exchange-listed companies account for the vast majority of the decline in exchange-listed companies. 300 The commenter recommended that the economic analysis for Firm Reporting and for future PCAOB proposals include a specific study of the costs and benefits to smaller firms and smaller public companies. Another commenter suggested that a reduction in the number of audit firms that service the 40 percent of smaller issuers that represent less than 2 percent of overall market capitalization could increase the concentration of public companies audited by large international firms.
Footnotes:
299 ? See SEC Office of the Advocate for Small Business Capital Formation, Annual Report Fiscal Year 2023 (2023) ("SEC Annual Report").
300 ? See SEC Annual Report; Michael Ewens, Kairong Xiao, and Ting Xu, Regulatory Costs of Being Public: Evidence from Bunching Estimation, 153 Journal of Financial Economics (2024).
[top] While the Board believes that any impact on audit fees could be disproportionately higher for smaller public companies and new public companies that are more likely to use smaller audit firms, the Board also believes that any impact on audit fees on a company's decision to go public or remain public is likely small for several reasons. In particular, the Board notes that the relationship between disproportionately high regulatory costs and the number of IPOs does not appear to be conclusive. While the SEC Annual Report demonstrates that smaller exchange-listed companies accounted for the vast majority of the decline in exchange-listed companies, the report also cites a paper that concludes regulatory cost itself is unlikely to explain the full magnitude of IPO decline in the U.S. over the past two decades. 301 The Board also notes that accounting fees typically comprise roughly 4.5 percent of the costs of an IPO, 0.3 percent of the proceeds, and 32 percent of the recurring incremental costs of being a public company. 302 Any
Footnotes:
301 ? See Ewens, et al., Regulatory Costs of Being Public (explaining that non-regulatory factors-such as decline in business dynamism, shifting investment to intangibles, abundant private equity financing, changing economies of scale and scope, and changing acquisition behavior-are likely to play a more important role than regulatory cost in the decline of IPOs).
302 ?Staff obtained data on accounting fees and legal fees from Audit Analytics and investment bank underwriting fees from a PricewaterhouseCoopers market research report. See PricewaterhouseCoopers, Considering an IPO? First, Understand the Costs, available at https://www.pwc.com/us/en/services/consulting/deals/library/cost-of-an-ipo.html and Audit Analytics, 2018-2019 IPO Accounting and Legal Fees (Feb. 20, 2020). Staff calculated the accounting fee share of IPO costs as the ratio of all accounting fees to all IPO costs across all deals in the Board's sample. The staff's analysis assumes IPO costs are equal to the sum of accounting, legal, and investment bank underwriting fees. The PricewaterhouseCoopers market research report indicates that there are other IPO cost categories, but they are relatively small. Staff calculated deal proceeds by multiplying the quantity of shares issued by their price at issue. Staff calculated the accounting fee share of proceeds as the proceeds-weighted average accounting fee share of proceeds across all deals in the Board's sample. The Board notes that the accounting fee share of proceeds is decreasing in deal proceeds. The audit percentage of recurring incremental costs was reported directly in the PricewaterhouseCoopers market research report based on respondents to a survey of CFOs. The recurring incremental costs of being a public company are split across five areas in the survey: audit (32 percent), investor relations (22 percent), financial reporting (18 percent), legal (16 percent), and regulatory compliance (12 percent).
One commenter suggested that the PCAOB should identify and evaluate the characteristics of investors in smaller companies and determine if the needs of investors in those companies are the same as the potential needs of investors in larger companies. One recent working paper finds that institutional ownership is, on average, lower for smaller companies. 303 In addition, academic research suggests that retail and non-professional investors rely on less traditional sources of information to inform their decision-making processes, which implies that investors in smaller public companies may, on average, be less likely to utilize the required disclosures. 304 However, investor-related groups, which include representation of investors in a variety of company sizes, affirmed the decision-usefulness of the required disclosures as noted above. Moreover, the Board believes that investors in smaller companies could still benefit from the required disclosures because: (i) retail investors would benefit from the improved accessibility and comparability of information regarding audit firms and (ii) institutional ownership in smaller companies, though less than larger companies, is not trivial. 305 Finally, financial reporting quality may be especially relevant for smaller companies.
Footnotes:
303 ? See Jonathan Lewellen and Katharina Lewellen, The Ownership Structure of U.S. Corporations, available on SSRN: https://ssrn.com/abstract=4173466 (2022). The Board notes that SSRN does not peer review its submissions.
304 ?See, e.g., Cassell, et al., Retail Shareholders and the Efficacy of Proxy Voting 75; Hux, How Does Disclosure of Component Auditor Use 35.
305 ? See, e.g., Lewellen and Lewellen, The Ownership Structure of U.S. Corporations (finding that institutional ownership is 41.6 percent for the lowest quintile of companies by market capitalization).
v. Staff Resources
Several commenters suggested that the reporting requirements could contribute to a regulatory environment that makes the auditing profession unattractive. One commenter asserted that over-regulating can have a detrimental effect on the attractiveness of an auditing career. Another commenter asserted that the reporting requirements will undermine the attractiveness of public company auditing and the accounting profession and exacerbate staffing challenges for audit firms in the short-run and down the road. Another commenter, representing audit committee chairs, expressed concern regarding the impact that more regulation will have on the auditing profession in the eyes of new talent as well as current partners and audit firm staff. Another commenter, representing smaller and mid-sized firms, cited research that found 94 percent of undergraduate accounting majors who have chosen not to pursue, or are undecided on, CPA licensure cite as either a major reason or part of reason for the decision the belief that the regulatory environment makes the auditing profession unappealing. 306 The commenter also explained that the talent impact is more pronounced for smaller and mid-sized firms and noted that their personnel are beginning to express a desire to exit auditing work as the rewards of the work no longer outweigh the costs.
Footnotes:
306 ?See Center for Audit Quality, Increasing the Diversity in the Accounting Profession Pipeline: Challenges and Opportunities (July 2023) ("CAQ Diversity Report").
The auditor labor market is likely affected by the interplay among numerous factors unrelated to the required disclosures, such as the rigor of qualifying for and completing the requirements for CPA licensure and the relatively low starting salaries. One commenter suggested that firm workloads and work-life balance should be included in the root cause analysis of the decline of graduates entering the audit profession. The CAQ Diversity Report found that lack of interest, low starting salaries, and the 150 credit hour requirement were the top three major reasons college students chose non-accounting majors. 307 In addition, the CAQ Diversity Report found that cost and time needed to reach 150 credit hours are the biggest obstacles keeping undergraduate accounting majors from pursuing CPA licensure. 308 The CAQ Diversity Report also found that the top three major reasons undergraduate accounting majors chose not to pursue or were undecided on CPA licensure were: (i) regulatory environment makes profession unappealing, (ii) not enough diversity, and (iii) starting salaries not high enough. The CAQ Diversity Report does not clarify whether "regulatory environment" refers to federal regulation regarding accounting and auditing standards or state regulation of the profession and the 150 credit hour requirement for CPA licensure. Moreover, while 94 percent of undergraduate majors who are not pursuing or are undecided on CPA licensure cite "regulatory environment makes profession unappealing" as either a major reason or part of reason, as noted by the commenter, the Board notes that 95 percent of the same respondents to the same question cite "starting salaries not high enough" as either a major reason or part of reason. 309
Footnotes:
307 ? See CAQ Diversity Report.
308 ? See CAQ Diversity Report.
309 ?These results are consistent with academic research that considers supply-side and demand-side explanations regarding the decline in accounting college majors. For a supply-side explanation, see, e.g., John M. Barrios, Occupational Licensing and Accountant Quality: Evidence from the 15-Hour Rule, 60 Journal of Accounting Research 3 (2022) (finding that the 150-hour rule for CPA licensure decreased the number of entrants into the accounting profession). For a demand-side explanation, see, e.g., Henry Friedman, Andrew G. Sutherland, and Felix W. Vetter, Technological Investment and Accounting: A Demand-Side Perspective on Accounting Enrollment Declines, available on SSRN: https://ssrn.com/abstract=4707807 (2024) (finding that fewer students choose an accounting major and more choose a finance major as the wage gap of finance majors over accounting majors grows in light of technological development that favors finance jobs). The Board notes that SSRN does not peer review its submissions.
vi. Litigation and Reputation Risks
[top] Some commenters suggested that the required disclosures could create litigation and reputation risk. One of the commenters expressed concern whether highly sensitive business and competitive information will be immune from civil litigation or other legal processes. One commenter said that private litigants will be tempted to serve discovery requests on the PCAOB. Another commenter suggested that the required disclosures will exacerbate audit firm litigation and reputation risks. The commenter suggested that the proposal presented a myriad of circumstances that could complicate compliance, including the timing of filings. Some commenters said that disclosure of sensitive information
The Board agrees that plaintiff lawyers could seek to use some of the required disclosures to support their cases. For example, academic research finds that PCAOB inspection reports with audit deficiencies are positively associated with the number of lawsuits subsequently filed against the inspected auditor. 310 While the required disclosures may not be as clearly linked to legal liability as audit deficiencies and could encourage some frivolous lawsuits, the Board believes that the threat of litigation and reputational risk could largely contribute positively to audit quality because the threat will create an incentive for firms to provide high quality audits. Indeed, the Board believes the threat of litigation and reputational damage could help drive more competition on audit quality, a criterion that one of the commenters urged us to consider. Moreover, the reporting requirements allow for the confidential reporting of highly sensitive information as material specified events on Form 3 rather than requiring public disclosure. Finally, the Board also believes that the impact on reputation is central to the intended impacts of the required disclosures.
Footnotes:
310 ? See, e.g., Brant E. Christensen, Nathan G. Lundstrom, and Nathan J. Newton, Does the Disclosure of PCAOB Inspection Findings Increase Audit Firms' Litigation Exposure?, 96 The Accounting Review 191 (2021).
vii. Diversion of Resources
Several commenters suggested that the reporting requirements could cause audit firms to divert resources away from activities that are more focused on audit quality. One commenter suggested that the reporting requirements will divert resources from quality engagement execution to reporting compliance. Another commenter said that resources could be better used for audit execution or quality control monitoring and remediation efforts. One commenter said the reporting requirements will distract the profession from investments and activities that are much more likely to benefit the quality of audits. Some commenters asserted that the compilation of financial statements will result in a diversion of resources away from audit quality.
The Board agrees that additional resources will be utilized by audit firms to comply with the reporting requirements as noted above. Some of the time and effort will be associated with centralized efforts to develop systems and implement processes. In addition, any potential impact on audit quality will be mitigated to the extent that the reporting requirements are implemented by administrative personnel rather than audit personnel. Firms will likely relieve some of the burden by hiring additional staff, as noted by one commenter. Moreover, the Board believes its revisions to the proposal in consideration of comments-including exempting firms below a specified threshold from confidentially reporting material specified events, adopting phased implementation for smaller firms, and refining certain required disclosures-will help mitigate the resources required to comply with the final reporting requirements.
Alternatives Considered
The development of the final rule involved considering a number of alternative approaches to address the problems described above. This section explains: (i) why rulemaking is preferable to other policy approaches, such as providing interpretive guidance or enhancing inspection or enforcement efforts; (ii) other rulemaking alternatives that were considered; and (iii) key policy choices made in determining the details of the rulemaking approach.
1. Why Rulemaking is Preferable to Other Policy-Making Approaches
The Board's policy tools include alternatives to rulemaking, such as issuing additional interpretive guidance or an increased focus on inspections or enforcement of auditing standards. The Board considered whether providing guidance or increasing inspection or enforcement efforts would be an effective mechanism to address the information gaps in the extant PCAOB reporting framework.
Interpretive guidance inherently provides additional information about existing rules and forms. Encouraging additional disclosure via interpretive guidance without amending the forms through rulemaking would have been less effective because there would have been no mechanism for the disclosure. Moreover, interpretive guidance, as opposed to line-item requirements, would have reduced the standardization and comparability of the information. Inspection and enforcement actions take place after insufficient audit performance (and potential investor harm) has occurred. Devoting additional resources to interpretive guidance, inspections, or enforcement activities, without enhancing the current PCAOB reporting framework would not have provided the benefits discussed above associated with the required reporting changes.
One commenter questioned whether adding further definition to the existing disclosures could improve the data and comparability among firms. However, additional definitions for existing disclosures will not provide the public benefit of the additional required disclosures. One commenter suggested that a mechanism should be established to allow cross-referencing to information in firms' transparency reports where appropriate. Another commenter suggested that creating a new regulatory regime, without considering whether firms' transparency reports and audit quality reports that are already in place could serve as the basis for wider application, is likely to create additional cost and disruption in the ecosystem for little apparent benefit. The commenter suggested that the proposal did not discuss ways to expand or enhance what is already done by firms in their transparency reports or audit quality reports to meet the expectations of investors about topics addressed in the proposal without imposing undue burden on firms. However, the additional reporting requirements build on the existing reporting regime for Form 2 and Form 3 as a wider application of the existing reporting regime rather than creating a new regulatory regime. For some required disclosures, firms may be able to adapt content from their transparency reports and audit quality reports to comply with the additional reporting requirements for Form 2 and Form 3 to help alleviate the reporting burden. In addition, the proposal and this release describe the benefits of the additional reporting requirements.
The Board considered enhancing its collection of supplemental information through the inspection process, including the collection instruments, procedures for collection, and the data storage infrastructure. This approach would have yielded benefits to PCAOB statutory oversight. However, the approach would have yielded no public benefits associated with the enhanced information environment as described in a section above. The Board believes more extensive disclosures, as explained above, are warranted and will accomplish more than what will be accomplished by enhancing existing tools for supplemental information.
[top] Several commenters suggested that the reporting requirements be implemented through the PCAOB
The Board acknowledges the public benefit of PCAOB inspections, and the Board does not expect that the reporting requirements, including the required disclosures, will curtail the scope of inspections or inspections information that is made currently available to the public. The Board also notes that the final rule specifies the information that will be reported and maintained confidentially. In addition, information collected through the inspection process would only be available every three years for triennially inspected firms. Moreover, implementing the reporting requirements through the confidential inspection process will not achieve the additional public benefit of making information directly available to audit committees and investors.
2. Other Rulemaking Alternatives Considered
Some commenters suggested that the required disclosures should be determined based on interactions between audit firms and audit committees. One commenter suggested that the public disclosure of firms' operating characteristics should continue to be driven by established audit committee oversight. The commenter asserted that many firms publish information derived from interactions with audit committees. Another commenter suggested that audit committees should be the primary recipients of the required disclosures to further enhance their oversight responsibilities. The commenter suggested that disclosures by audit committees are the primary way that audit committees relay their judgments made in discharging their responsibilities to oversee company management and the audit firm, and that the SEC could take actions to strengthen audit committee disclosures if investors believe they do not have sufficient information regarding ratification voting. The commenter noted an SEC Concept Release that considered strengthening audit committee disclosures, and the commenter suggested the SEC Concept Release could be revisited as a complementary action. 311 Another commenter suggested that tailored discussions with audit committees is most useful to fulfill the audit committees statutory responsibilities.
Footnotes:
311 ? See Possible Revisions to Audit Committee Disclosures, SEC Rel. No. 33-9862 (July 1, 2015) ("SEC Concept Release").
The Board expects that interactions between audit firms and audit committees will continue to be a key component for oversight of the audit firm and that audit committee disclosures will continue to provide important information to investors. However, relying on voluntary firm disclosures and voluntary audit committee disclosures, or providing firm disclosures to audit committees without public disclosure, will not empower investors with decision-useful information or enhance investors' abilities to monitor the audit committee or make informed voting decisions to ratify the audit firm. The proposal and this release explain that market forces do not provide audit firms with sufficient incentives to develop an efficient and effective system of standardized voluntary disclosures and that audit committees may not always sufficiently fulfill their responsibilities to investors, even if those failures are not pervasive. In addition, a recent analysis of audit committee disclosures found that less than half of audit committee disclosures that were reviewed for S&P large-cap, mid-cap, and small-cap companies included disclosures related to a discussion of audit committee considerations in appointing or reappointing the audit firm. 312 Moreover, the SEC Concept Release is consistent with the Board's view that investors need more information to: (i) evaluate the performance of audit committees and audit firms, (ii) vote for or against audit committee members, (iii) ratify the appointment of the audit firm, and (iv) invest capital. The Board notes that the relevance of the SEC's analysis is limited by the fact that it contemplates public disclosure by audit committees rather than audit firms and that it aims to solicit feedback rather than provide a cost-benefit analysis. In addition, the Board notes that the PCAOB has no direct authority over audit committees or the SEC.
Footnotes:
312 ?CAQ Barometer Report, at 5.
3. Key Policy Choices
During the development of the final rule, the Board considered different approaches to addressing key policy choices.
i. Disclosure versus Confidential Reporting
The Board considered whether the required reporting should be made publicly available or reported confidentially. One commenter recommended that the expanded fee information, cybersecurity policies and procedures, and certain firm governance and network information should receive confidential treatment. For the reasons noted above, the Board explicitly allows confidential reporting for financial statements, material specified events, and significant cybersecurity incidents, but the Board believes public availability of the remaining information will promote the best transparency of firms and protection of investors while at the same time protecting the confidentiality of the firm's information. As noted in the Discussion of the Reporting Updates section, the Board intends to analyze the information reported in firms' financial statements to better understand whether the reporting requirements should be further amended to make some or all of the reported financial information public.
ii. Scalability
Several commenters suggested scaling the reporting requirements to help smaller firms and foreign firms manage costs. One firm commenter recommended exempting firms with 100 or fewer issuers in a calendar year. Another firm commenter suggested exempting firms that are registered but do not currently issue opinions or participate in audits conducted under PCAOB standards. Another commenter suggested exempting smaller firms or a certain subcategory of smaller firms. Another commenter asserted that applying the reporting requirements to all firms ignores the vast differences in firm portfolios and coverage of the capital markets. One commenter suggested making accommodations for foreign firms that are registered with the PCAOB. One commenter noted that smaller firms are not required to have an EQCF oversight role under QC 1000 and that disclosure of whether those firms have an EQCF may put the firms at a competitive disadvantage and recommended tiered reporting requirements under which smaller firms could provide a reduced set of disclosures.
[top] While the Board has agreed in the proposal and in this release that there are disproportionate costs faced by smaller firms and foreign firms,
iii. Principles-Based Reporting
Several commenters suggested that the reporting requirements should be more principles-based. Some commenters suggested that the reporting requirements be designed similar to the principles-based transparency reporting requirements adopted by the European Union's Eighth Directive. The commenters suggested principles-based reporting could provide similar benefits at lower cost. One of the commenters asserted that the usage of standardized disclosures is based on assumptions and understates the variation in reporting that will occur because of the variation in how firms are structured and organized. Another commenter suggested that principle-based reporting fully aligns with the specific ACAP recommendations. Another commenter suggested that principles-based reporting allows firms to report in a way that will give more valuable insight into the unique qualities of each firm.
The proposal and this release explain the market failures that lead to insufficient voluntary reporting, including principles-based transparency reports and audit quality reports that are voluntarily provided by firms. In addition, while the Board expects that the content of the required disclosures will vary across audit firms based on unique qualities of each firm, principles-based reporting will not achieve the same public benefits of standardization and comparability achieved by the required disclosures. Moreover, the usage of standardized disclosures is not based on assumptions but is based in part on stakeholder feedback, including investor-related groups, prior to the proposal and in public comments responding to the proposal.
iv. Changing Form 2 Reporting Deadline
The Board considered revising the Form 2 reporting period (April 1 through March 31) and filing deadline (June 30) to align with the reporting period for Form FM (October 1 through September 30) and filing deadline (November 30) in order to have a single firm-level reporting period and filing deadline. This approach could benefit some Form 2 users because the firm-level metrics would have all been prepared for the same period and therefore the synergies between the two sets of metrics may be increased. It may also benefit firms to prepare all firm-level metrics for the same reporting period. However, the Board considered that firms may also have existing systems in place to prepare and report existing Form 2 information for the current Form 2 reporting period, and altering those systems may incur costs. Moreover, the current period allows firms 90 days following the end of the reporting period to file Form 2, while the filing deadline for Form FM is 61 days following the end of the reporting period. Thus, the change would have represented an acceleration of the filing deadline, which may also increase firms' costs.
v. Alternative Reporting Requirements
a. Financial Information
Some commenters suggested that the required disclosures regarding disaggregation of fees should be limited to fees from audit and non-audit services provided to issuers and broker-dealers. As explained in the Discussion of the Reporting Updates section, the final rule streamlines the fee disclosure requirements as compared to the proposal by, for example, eliminating the proposed requirement to provide disaggregated data for audit services billed to non-issuers and non-broker-dealers and the proposed requirement to report fees billed to all clients for each of the four fee categories. One commenter asserted that actual fee amounts should remain confidential proprietary information and that fees should be disclosed as percentages. However, the Board continues to believe that actual fee amounts will increase the usefulness of fee reporting as discussed in the Discussion of the Reporting Updates section. In addition, requiring actual fee amounts, rather than percentages, will decrease potential inconsistencies due to varying methodologies used to calculate percentages. One commenter suggested that audit fees for issuers are currently available to investors on a company-specific basis through SEC disclosures. However, the SEC disclosures enable comparisons of audit fees paid by issuers but do not enable comparisons of audit fees received by audit firms without costly efforts by investors to actually compile the information.
The Board considered whether the confidential provision of financial statements should be required for all firms or just the largest firms. One commenter suggested the threshold for firms to report financial statements should be 500 audit reports with no criterion for number of personnel. The Board limited the requirement for financial statements to firms with more than 200 reports issued for issuer audit clients and more than 1,000 personnel because of the role those firms play in the audit market and the value of having their financial statements available for the Board's immediate use under certain circumstances, such as staff observing detectable unexplained changes in a firm's financial health.
[top] Investor-related groups suggested financial statements should be audited and publicly available. Some commenters affirmed the financial statements should be confidentially reported or expressed concern that there could be avenues through which the financial statements become publicly available. The Board has decided to maintain confidential reporting of unaudited financial statements because, as noted in the Discussion of the Reporting Updates section, the Board does not have sufficient information regarding how financial statements would serve the public, and the PCAOB staff is well-positioned to understand any limitations that a lack of reasonable assurance implies. In addition, the PCAOB will use data storage and security protocols for financial statements that are used for other confidential data. One commenter suggested that in lieu of compiling financial statements in accordance with an applicable financial reporting framework, PCAOB inspectors could collect key standardized financial metrics through the annual data request and firms could provide financial statements prepared in accordance with their preferred basis. Several
b. Governance Information
One commenter recommended allowing firms to incorporate by reference the applicable governance disclosures from their transparency reports to streamline duplicative reporting requirements and reduce costs. While audit firms that compile transparency reports will be able to choose to leverage duplicative information from their transparency reports as a way to reduce costs, all audit firms will be required to report a complete set of required disclosures in order to achieve the public benefit of standardization and comparability across firms. Another commenter suggested that a firm applying QC 1000 could consider whether its structure impacts the firm's assessment of quality risks and accordingly design appropriate quality responses and communicate the strategy and key judgments in the firm's audit quality report or transparency report. However, investors will not be privy to a firm's assessment of quality risks except to the extent that the assessment is voluntarily reported, and most firms do not compile audit quality reports or transparency reports. Another commenter suggested that the governance disclosures could be streamlined to describe a firm's general governance structure without requiring some of the more prescriptive disclosures that could be more relevant to some firms than others. The Board agrees that the relevance and specified descriptions of governance structures may vary across firms. However, a general description of a firm's governance structure will not achieve the public benefits of the standardized and comparable specified disclosures.
c. Network Information
One commenter suggested revising the required network disclosures to focus on matters related to audit quality, such as audit methodology, staff training, and quality control rather than focusing on financial strength of the network. Some commenters recommended permitting firms to report network-related financial obligations confidentially because disclosure could put some firms and networks at a competitive disadvantage. One commenter explained that network structures vary widely and are not a significant factor in smaller firms' provision of audit services to issuers or broker-dealers and suggested that the required network disclosures apply only to larger firms that perform a significant number of multinational audit engagements.
As discussed in the Discussion of the Reporting Updates section, the Board has modified the requirement for network disclosures to focus on the registered firm and the aspects of its relationship with the network that most directly relate to the firm's conduct of audits, including access to audit methodologies and training materials, instead of asking for network-related financial obligations and other aspects of the network relationship. While the Board expects network structures to vary across firms, especially firms of different sizes, exempting firms based on a size threshold will not achieve the public benefits of standardization and comparability that is achieved by required reporting for all PCAOB-registered firms.
d. Special Reporting
Some commenters suggested that the trigger for the material specified event timeline should be when an event occurs because a threshold of "substantially likely" is judgmental. Some commenters suggested that the trigger should be the date on which the firm determined the event to be material. As discussed in the Discussion of the Reporting Updates section, the final rule removes proposed language related to planned or anticipated events and restricts reporting to events that have occurred. In addition, the reporting period for material specified events will begin upon the determination that the event is material in light of the shorter reporting timeframe for material specified events.
e. Cybersecurity Information
Several firm commenters suggested alternative reporting requirements for significant cybersecurity incidents and cybersecurity policies and procedures. One commenter suggested focusing on the impacts of a cybersecurity incident rather than requiring details regarding the cybersecurity incident, considering concerns about disclosing details that could exacerbate security threats. However, cybersecurity incidents will be confidentially reported rather than publicly disclosed. Another commenter suggested bifurcating reporting into: (i) mandatory confidential reporting for incidents that have actually occurred and could impact the provision of audit services or compromise client information and (ii) voluntary reporting for other types of incidents so that PCAOB could assist firms by issuing alerts to all firms. However, a voluntary system for reporting other incidents and issuing alerts is an alternative that can be enacted without rulemaking.
Two commenters recommended requiring reporting of significant cybersecurity incidents only when an incident impacts a firm's ability to audit public companies or SEC-registered broker-dealers. The Board notes the likelihood that the magnitude of the specified criteria that define a significant cybersecurity incident at a firm as explained in the Discussion of the Reporting Updates section- i.e., significantly disrupted or degraded the firm's operations critical to the functioning of the audit practice or those that have led to unauthorized access to the electronic information . . . of the firm in a way that has resulted in substantial harm to the audit firm's critical audit-related operations-could impact a firm's direct or indirect ability to audit public companies or SEC-registered broker-dealers, which renders the specified criteria equivalent to the recommended criterion.
One commenter recommended aligning the significant cybersecurity incident reporting requirement with existing industry or federal guidelines, such as the Federal Information Security Modernization Act, and permitting delayed reporting at the request of federal law enforcement. While the Board agrees other cybersecurity incident reporting frameworks may impose additional reporting requirements on audit firms, the PCAOB reporting requirements are designed specifically with the protection of investors and the public in mind for the provision of public company audits by PCAOB-registered audit firms, so any additional PCAOB reporting requirements will supplement any gaps in other reporting frameworks. Likewise, delaying reporting to PCAOB at the request of federal law enforcement should be determined based on whether the requested delay includes confidential reporting to regulators.
Special Considerations for Audits of Emerging Growth Companies
[top] Section 104 of the Jumpstart Our Business Startups ("JOBS") Act imposes certain limitations to the application of the Board's standards to audits of Emerging Growth Companies ("EGCs"), as defined in Section 3(a)(80) of the
Footnotes:
313 ? See Public Law 112-106 (Apr. 5, 2012). Section 103(a)(3)(C) of Sarbanes-Oxley, as added by Section 104 of the JOBS Act, also provides that any rules of the Board requiring (i) mandatory firm rotation or (ii) a supplement to the auditor's report in which the auditor would be required to provide additional information about the audit and the financial statements of the issuer (auditor discussion and analysis) shall not apply to an audit of an EGC. The Firm Reporting rule does not fall within either of these two categories.
314 ?The Firm Reporting rule does not impose any additional requirements on EGC audits. Nevertheless, the Board has provided this analysis of the impact on EGCs to assist the SEC in making the determination required under Section 104 to the extent that the requirements apply to "the audit of any emerging growth company" within the meaning of Section 104 of the JOBS Act.
To inform consideration of PCAOB standards and rules to audits of EGCs, PCAOB staff prepares a white paper annually that provides general information about characteristics of EGCs. 315 As of the November 15, 2022 measurement date, PCAOB staff identified 3,031 companies that self-identified as EGCs and filed audited financial statements with the SEC between May 16, 2021, and November 15, 2022, that included an audit report signed by a firm. 316
Footnotes:
315 ? See PCAOB, White Paper on Characteristics of Emerging Growth Companies and Their Audit Firms at November 15, 2022 (Feb. 20, 2024) ("EGC White Paper"), available at https://pcaobus.org/resources/other-research-projects.
316 ?The EGC White Paper uses a lagging 18-month window to identify companies as EGCs.Please refer to the "Current Methodology" section in the EGC White Paper for details.Using an 18-month window enables staff to analyze the characteristics of a fuller population in the EGC White Paper but may tend to result in a larger number of EGCs being included for purposes of the present EGC analysis than would alternative methodologies. For example, an estimate using a lagging 12-month window would exclude some EGCs that are delinquent in making periodic filings.An estimate as of the measurement date would exclude EGCs that have terminated their registration or that have exceeded the eligibility or time limits.
In general, any new PCAOB rules determined not to apply to audits of EGCs would require audit firms to address differing requirements with respect to audits of EGCs and non-EGCs. 317 This is not practical in the context of the Firm Reporting rule because the required disclosures and confidential reporting are firm-wide and will not be differentiable for different types of audits.
Footnotes:
317 ? See EGC White Paper, at 17. Based on staff analysis as of the November 15, 2022 measurement date, 86 percent of the 263 firms that issued audit reports for EGCs performed audits for both EGC and non-EGC issuers while 14 percent performed issuer audits only for EGCs.
The discussion of the economic impacts of the final rule above is generally applicable to all audits performed pursuant to PCAOB standards, including audits of EGCs. The required disclosures may impact the audit market for EGCs more than the audit market for non-EGCs to the extent EGCs are more likely to be audited by smaller firms. 318 As discussed above, smaller firms may incur higher costs per issuer because smaller firms do not experience economies of scale associated with information production and dissemination. However, the Board also expects the benefits of enhanced selection and monitoring to be higher for smaller firms to the extent that smaller firms currently provide fewer and less informative disclosures. Therefore, all else equal, both the benefits and costs of the reporting requirements may be higher for the EGC audit market than for the non-EGC audit market.
Footnotes:
318 ?PCAOB staff analysis indicates that, compared to exchange-listed non-EGCs, exchange-listed EGCs are approximately 2.6 times as likely to be audited by an NAF and approximately 1.3 times as likely to be audited by a triennially inspected firm. Source: EGC White Paper and S&P.
The benefits linked to financial reporting quality, as articulated above, may be especially relevant to EGCs. EGCs are more likely to be newer companies, which are typically smaller in size, 319 receive less analyst coverage, and have a shorter SEC financial reporting history than the broader population of public companies. The required disclosures are expected to enhance transparency of firms in the EGC audit market and contribute to an increase in the credibility of financial reporting by EGCs. To the extent that the Firm Reporting rule improves EGCs' financial reporting quality, the rule may also improve the efficiency of capital allocation, enhance capital formation, and lower the cost of capital. For example, investors may improve their capital allocation by reallocating capital toward EGCs with the strongest prospects for generating future risk-adjusted returns. Investors may also perceive less risk in the EGC capital markets generally, leading to an increase in the supply of capital to EGCs. This may increase capital formation and reduce the cost of capital to EGCs. The required disclosures could reduce competition in an EGC's product market if the indirect costs to audited companies disproportionately impact EGCs relative to their competitors.
Footnotes:
319 ? See EGC White Paper, at Figure 9 and Figure 12 (indicating that exchange-listed EGCs have lower market capitalization and revenue than exchange-listed non-EGCs).
One commenter suggested that requiring disclosures by firms that audit EGCs could impact the ability of EGCs to find auditors at a reasonable cost to be able to participate in capital markets. As noted above, the Board believes that the required disclosures could have a disproportionately higher cost impact for smaller companies and new public companies that are more likely to use smaller audit firms. The Board also notes above that investors in those smaller companies could accrue benefits from the required disclosures. In addition, as noted in the proposal and in this section, both benefits and costs of the required disclosures may be higher for the EGC audit market than for the non-EGC audit market.
Accordingly, and for the reasons explained above, the Board will request that the SEC determine that it is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation, to apply the Firm Reporting rule and any related amendments to firms that audit EGCs.
III. Date of Effectiveness of the Proposed Rules and Timing for Commission Action
Within 45 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the Board consents, the Commission will:
(A) By order approve or disapprove such proposed rules; or
(B) Institute proceedings to determine whether the proposed rules should be disapproved.
IV. Solicitation of Comments
[top] Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rules are consistent with the requirements of Title I of the Act. Comments may be submitted by any of the following methods:
Electronic Comments
• Use the Commission's internet comment form ( https://www.sec.gov/rules/pcaob ); or
• Send an email to rule-comments@sec.gov. Please include PCAOB-2024-07 on the subject line.
Paper Comments
• Send paper comments in triplicate to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to PCAOB-2024-07. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/rules/pcaob ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rules that are filed with the Commission, and all written communications relating to the proposed rules between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing will also be available for inspection and copying at the principal office of the PCAOB. Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. You may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to PCAOB-2024-07 and should be submitted on or before December 26, 2024.
For the Commission, by the Office of the Chief Accountant.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2024-28148 Filed 12-4-24; 8:45 am]
BILLING CODE 8011-01-P