Ed. note: Today’s post is courtesy of Advisory Board member and former PCAOB Chair Dan Goelzer. As third-party assurance of ESG reports grows, many are questioning how financial audit/assurance standards apply – if at all. In the first of this two-part series, Dan gives background on and status of PCAOB’s attestation standards. In part 2, Dan explores the role these standards could play in ESG disclosures – and why.
The Public Company Accounting Oversight Board recently asked for the public’s views on the application and use of the Board’s interim attestation standards. The standards are currently something of a dead letter, and the role that they were intended to play in advancing the PCAOB’s mission of protecting investors and furthering the public interest in “informative, accurate, and independent audit reports” is not clear. However, the Board’s decision to revisit the attestation standards could be an opportunity to make them relevant. Investor demand for reliable corporate environmental, social, and governance disclosures is increasing rapidly, and many companies are engaging auditors or other experts to provide assurance on their ESG disclosures.
A PCAOB attestation standard aimed specifically at U.S. public company ESG disclosures would meet a market need. Moreover, by adopting a standard tailored to the preparation of opinions on greenhouse gas emissions, the PCAOB could play an important role in a key aspect of the SEC’s climate change proposals.
What are the PCAOB’s Attestation Standards?
In the world of accounting, an attestation engagement is one in which a CPA is engaged to issue a report on subject matter, or an assertion about a subject matter, that is the responsibility of another party. The audit of a company’s financial statements is the most common type of attestation. Under the Sarbanes-Oxley Act, these audits for SEC reporting companies (and audits of their internal control over financial reporting) must be performed under the PCAOB’s auditing standards.
Although an audit is a type of attestation, the term “attestation” normally refers to an assignment in which an accounting firm is engaged to examine or report on a matter outside of the financial statements. As the PCAOB explains in its request for comment, attest engagements may, for example, relate to such things as a company’s compliance with laws and regulations or to evaluating historical data against pre-determined criteria. The PCAOB’s attestation standards provide a framework for these types of engagements.
The PCAOB’s basic attestation standard is AT 101. Under AT 101, there are three types of attestations, each of which provides a different level of assurance – an examination, which provides reasonable assurance; a review, which provides limited assurance; and an agreed-upon procedures engagement, which does not provide specific assurance, but reports on the performance of specific procedures and any related findings. AT 101 covers such matters as the need for adequate training, proficiency, and subject matter knowledge; the need to maintain independence and exercise due professional care; and the need for proper planning and supervision.
AT 101 is generic or foundational – it does not deal with the procedures appropriate for any particular type of attestation engagement. The Board does, however, also have attestation standards that address specific types of engagements – for example, attestations of financial forecasts and projections (AT 300), reporting on pro forma financial information (AT 400), and compliance attestations (AT 600).
The Board did not write its current attestation standards. In April 2003, the PCAOB adopted, on an interim basis, the attestation standards of the American Institute of Certified Public Accountants (AICPA). While the PCAOB’s attestation standards have not changed substantially in almost two decades, the AICPA standards they originally mirrored were updated in 2016 as part of the Institute’s clarity project.
As the PCAOB points out in the comment request, its standards are used in certain regulatory compliance attestations, such as investment company custody compliance and compliance with Securities Investor Protection Act insurance fund contribution requirements. Apart from these fairly esoteric regulatory attestations, it appears that the PCAOB’s attestation standards are rarely, if ever, used today. This is likely because the PCAOB’s standards are somewhat out-of-date and because there is no particular incentive to use them. One of the goals of the Board’s interim attestation standards review is to determine whether its standards could be retooled to serve a broader investor protection purpose.