AS 2405: Auditor Responsibility for Illegal Acts

An independent audit provides assurance that a company’s financial statements are presented fairly. Auditors for public companies follow professional standards from the Public Company Accounting Oversight Board (PCAOB). A component of these responsibilities involves how an auditor must respond when encountering a client’s potential noncompliance with laws and regulations. This responsibility is a specific aspect of the auditor’s function in the capital markets.

The Auditor’s Responsibility for Illegal Acts

In a financial statement audit, “illegal acts” refer to violations of laws or governmental regulations by the company or its staff. The governing standard is PCAOB Auditing Standard AS 2405, Illegal Acts by Clients. This standard acknowledges that determining if a specific act is illegal is generally beyond an auditor’s professional competence. However, an auditor’s training and understanding of the client’s business provide a basis for recognizing that certain actions may be illegal.

AS 2405 establishes a distinction between two categories of illegal acts. The first category includes acts with a direct and material effect on the amounts in the financial statements. These are violations of laws, such as tax laws, that are recognized by auditors as having a direct link to financial statement figures. For these potential violations, audit procedures are designed to provide reasonable assurance of their detection.

The second category involves illegal acts with an indirect effect on the financial statements. These are violations of laws where the connection to financial figures is less direct, such as noncompliance with environmental or workplace safety laws. The financial impact arises from potential fines, penalties, or damages that create a contingent liability. The auditor’s responsibility for these indirect acts is more limited, as they are not required to design the audit to search for them, but must respond if information indicating a potential violation comes to their attention.

The PCAOB has issued a proposal to replace AS 2405 with a new standard, “A Company’s Noncompliance with Laws and Regulations” (NOCLAR). The June 2023 proposal aims to strengthen auditor requirements for identifying, assessing, and communicating noncompliance. It would require auditors to be more proactive in identifying laws and regulations that could have a material effect—both direct and indirect—on financial statements. The PCAOB has indicated that further action on the proposal is expected in 2025.

The Investigation Process for Potential Illegal Acts

When an auditor becomes aware of information suggesting a possible illegal act, they begin an investigation to understand the situation and its potential impact on the financial statements. The initial step involves making inquiries of management at a level of authority above those suspected of being involved. This ensures the inquiry is directed to individuals who are not implicated in the potential wrongdoing.

If management’s response does not provide sufficient information, the auditor should consult with the client’s legal counsel. Legal experts can provide insight into the application of relevant laws and regulations. The auditor may also need to apply additional, specifically designed audit procedures to obtain a better understanding of the act.

A part of this investigation is evaluating the potential effects of the act on the financial statements, including contingent monetary effects. The auditor must assess potential fines, penalties, and damages that could arise from the illegal act. The auditor considers both quantitative and qualitative materiality; for instance, an illegal payment that is small in amount could still be material if it creates a reasonable possibility of a significant contingent liability or the loss of a major revenue stream.

Required Communications with Management and Committees

Once an auditor concludes that an illegal act has or is likely to have occurred, communication with the client’s leadership is required. Unless the matter is considered “clearly inconsequential,” the auditor must ensure that the company’s audit committee is adequately informed about the act. This communication elevates the issue to the highest level of governance within the organization.

Being “adequately informed” means the auditor must describe the act, the circumstances of its occurrence, and its effect on the financial statements. This includes providing details about any financial penalties, fines, or loss contingencies. The communication should be timely, allowing the audit committee to take appropriate action in response.

While the primary communication duty is to the audit committee, notification to parties outside the client may be required in limited circumstances. For example, under the Private Securities Litigation Reform Act of 1995, if the audit committee fails to take appropriate remedial action, the auditor may be obligated to report the matter to the Securities and Exchange Commission (SEC). This external reporting can also be triggered if the auditor withdraws from the engagement, which may necessitate the company filing a Form 8-K.

Consequences for the Audit Engagement

The discovery of an illegal act can alter the auditor’s final report. If an illegal act has a material effect on the financial statements and the company has not properly accounted for or disclosed it, the auditor cannot issue an unqualified, or “clean,” opinion. Instead, the auditor would issue either a qualified opinion or an adverse opinion, stating that the financial statements are not fairly presented.

An auditor may conclude that withdrawing from the audit engagement is necessary. This decision is considered when the client refuses to accept the auditor’s proposed modifications to the financial statements or take other remedial actions. An auditor might also withdraw if the illegal act is so significant that it undermines the auditor’s belief in the integrity of senior management, making it impossible to rely on their representations.