Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on Firm Reporting, 96712-96787 [2024-28148]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 89, Number 234 (Thursday, December 5, 2024)]
[Notices]
[Pages 96712-96787]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-28148]



[[Page 96711]]

Vol. 89

Thursday,

No. 234

December 5, 2024

Part II





 Securities and Exchange Commission





-----------------------------------------------------------------------





Public Company Accounting Oversight Board; Notice of Filing of Proposed 
Rules on Firm Reporting; Notice

Federal Register / Vol. 89 , No. 234 / Thursday, December 5, 2024 / 
Notices

[[Page 96712]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-101723; File No. PCAOB-2024-07]


Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rules on Firm Reporting

November 25, 2024.
    Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 
(``Sarbanes-Oxley'' or the ``Act''), notice is hereby given that on 
November 22, 2024, the Public Company Accounting Oversight Board (the 
``Board'' or the ``PCAOB'') filed with the Securities and Exchange 
Commission (the ``Commission'') the proposed rules described in items I 
and II below, which items have been prepared by the Board. The 
Commission is publishing this notice to solicit comments on the 
proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

    On November 21, 2024, the Board adopted amendments to its annual 
and special reporting requirements for audit firms (collectively, the 
``proposed rules''). The text of the proposed rules is set out below. 
The text of the proposed rules appears in Exhibit A to the SEC Filing 
Form 19b-4 and is available on the Board's website at Docket 055 
[verbar] PCAOB (pcaobus.org) and at the Commission's Public Reference 
Room.

II. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

    In its filing with the Commission, the Board included statements 
concerning the purpose of, and basis for, the proposed rules and 
discussed any comments it received on the proposed rules. The text of 
these statements may be examined at the places specified in Item IV 
below. The Board has prepared summaries, set forth in sections A, B, 
and C below, of the most significant aspects of such statements. In 
addition, the Board has requested that the Commission approve the 
proposed rules, pursuant to Section 103(a)(3)(C) of the Act, for 
application to audits of emerging growth companies (``EGCs''), as that 
term is defined in Section 3(a)(80) of the Securities Exchange Act of 
1934 (``Exchange Act''). The Board's request is set forth in section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

(a) Purpose
    The Board has adopted amendments to its annual and special 
reporting requirements to mandate the disclosure of more complete, 
standardized, and timely information by registered public accounting 
firms. The changes include enhanced reporting of firm financial, 
governance, and network information; expanded special reporting; and 
cybersecurity reporting, among other topics. After notice and comment, 
the Board believes that the final amendments are necessary or 
appropriate in the public interest or for the protection of investors 
and would enhance firm transparency and improve the PCAOB's oversight 
of audit firms.
    As the Board has previously observed, robust disclosure is the 
cornerstone of the U.S. federal securities regulatory regime and is 
essential to efficient capital formation and allocation.\1\ Access to 
meaningful information about a public company allows investors to make 
informed judgments about the company's financial position and the 
stewardship exercised by the company's directors and management. With 
the passage of the Sarbanes-Oxley Act of 2002 (``Sarbanes-Oxley''), 
Congress acknowledged and re-emphasized the auditor's important 
gatekeeping role within the public company reporting framework and 
required PCAOB-registered firms to submit public annual reports to the 
Board.\2\ Sarbanes-Oxley also provides that firms may be required to 
report more frequently and authorizes the Board to require ``such other 
information as the rules of the Board or the Commission shall specify 
as necessary or appropriate in the public interest or for the 
protection of investors.'' \3\
---------------------------------------------------------------------------

    \1\ See Improving the Transparency of Audits: Proposed 
Amendments to PCAOB Auditing Standards to Provide Disclosure in the 
Auditor's Report of Certain Participants in the Audit, PCAOB Rel. 
No. 2013-009, at 2 (Dec. 4, 2013).
    \2\ See Section 101(a) of Sarbanes-Oxley, 15 U.S.C. 7211(a); 
Senate Report No. 107-205, at 5-6 (July 3, 2002).
    \3\ See Sections 102(b)-(e) of Sarbanes-Oxley.
---------------------------------------------------------------------------

    The Board has observed an increase in voluntary audit firm 
transparency reporting, potentially reflecting market demand for more 
information regarding firms to support informed decision-making by 
market participants. The Board has also observed other jurisdictions 
implementing audit firm reporting initiatives. Indeed, investors and 
investor-related groups have long sought more transparency about firms, 
asserting that additional data and information would help investors 
make informed decisions about investing their capital, ratifying the 
selection of auditors, and voting for members of the board of 
directors, including directors who serve on the audit committee.\4\ 
Investor and investor-related group comments on this rulemaking 
evidence their continuing support for enhanced transparency.
---------------------------------------------------------------------------

    \4\ See, e.g., Comment No. 4 from Members of the Investor 
Advisory Group (``IAG'') (Jan. 13, 2023), Rulemaking Docket 046: 
Quality Control, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/4_iag.pdf?sfvrsn=1941e7c0_4; Comment No. 5 from the Council of 
Institutional Investors (Jan. 19, 2023), Rulemaking Docket 046: 
Quality Control, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/5_cii.pdf?sfvrsn=69b3e6bd_4; Center for Audit Quality (``CAQ''), 
Audit Quality Disclosure Framework (Jan. 2019), available at 
caq_audit_quality_disclosure_framework_2019-01.pdf (thecaq.org); 
PCAOB Investor Advisory Group Meeting (Oct. 27, 2016), available at 
https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting_1052.
---------------------------------------------------------------------------

    Prior to this rulemaking, the basic framework for the PCAOB's 
annual and special reporting requirements, however, had not been 
substantively reevaluated since its adoption in 2008.\5\ The Board has 
considered the reporting requirements established in 2008, the staff's 
experience with those requirements, concerns raised by investors 
regarding a lack of audit firm transparency, and comments received in 
connection with this rulemaking. The Board believes that improvements 
to the reporting requirements should be made to facilitate more public 
disclosure about aspects of registered firms' operations that could 
impact firms' ability to conduct quality audits, and that such 
disclosure will be informative and useful to investors, audit 
committees, and other stakeholders \6\ when evaluating audit firms and 
the audits of public companies. The Board further believes that the 
reporting requirements it has adopted will enhance investor confidence 
in public company audits and, therefore, in financial reporting.
---------------------------------------------------------------------------

    \5\ The PCAOB amended its rules and form in 2013 to conform to 
the Dodd-Frank Wall Street Reform and Consumer Protection Act as it 
relates to the Board's oversight of audits of broker-dealers. See 
Amendments to Conform the Board's Rules and Forms to the Dodd-Frank 
Act and Make Certain Updates and Clarifications, PCAOB Rel. No. 
2013-010 (Dec. 4, 2013).
    \6\ Throughout the release the Board often refers to investors 
and audit committees as the principal users of the public reporting. 
This does not foreclose use by other stakeholders.
---------------------------------------------------------------------------

    In addition to transparency benefits, enhanced reporting 
requirements will facilitate the PCAOB's regulatory functions, and 
thus, better inform the

[[Page 96713]]

Board's oversight activities to protect investors. Specifically, the 
Board believes that more disclosure about registered firms will (1) 
facilitate monitoring of firms for risks or issues that, individually 
or taken together with other factors, may affect the ability of firms 
to conduct quality audits and may potentially affect the broader market 
for audit services; (2) facilitate analysis and planning related to the 
PCAOB's inspection program; (3) identify circumstances or events that 
may warrant or inform enforcement investigations; and (4) inform the 
PCAOB's standard-setting process.
    Although the PCAOB may request information from firms from time to 
time as part of its regulatory activities, requiring the regular 
periodic and special reporting of certain information will standardize 
the provision of the information and enhance its comparability and 
timeliness, supporting the PCAOB's regulatory functions and therefore 
supporting investor protection.
    The Board has considered comments raising concerns that the 
reported information may not be useful or may be misunderstood by 
investors and other stakeholders. As an initial matter, investors and 
investor-related groups have consistently called for greater audit firm 
transparency, including in comments in connection with this rulemaking, 
and stated that these types of reporting requirements will inform their 
decision-making. In addition, the Board notes that similar objections 
regarding the benefit of disclosure were raised in connection with 
recent past rulemakings requiring additional information about audits 
and auditors to be made public, namely Form AP reporting of the name of 
the engagement partner and information about other firms participating 
in the audit, and auditor communication of critical audit matters 
(CAMs). In both those cases, the Board has observed that the new 
information is sought after. The Form AP data set is now one of the 
most frequently visited areas of the Board's website.\7\ As for CAMs, 
in a recent investor survey conducted by a firm-related group, over 90% 
of the respondents indicated that CAMs play an important role in their 
investment decision-making.\8\ The Board's experience suggests that 
additional information about auditors and audit engagements is accessed 
and relied upon by the Board's stakeholders when it is available. 
Moreover, the PCAOB has continued to find both anticipated and new uses 
for reported information.
---------------------------------------------------------------------------

    \7\ In 2023, there were over 333,000 unique searches performed 
on AuditorSearch and the Form AP dataset was downloaded over 2,000 
times. Information related to usage statistics can be found on the 
PCAOB's website (https://pcaobus.org/resources/auditorsearch).
    \8\ The Center for Audit Quality Critical Audit Matters Survey 
(July 2024) at 9.
---------------------------------------------------------------------------

    Finally, when the Board proposed these requirements, the Board 
strove to craft targeted amendments to existing reporting requirements 
to support its transparency and regulatory objectives. In formulating 
the final amendments, the Board has given careful consideration to the 
comments received to further refine the amendments to best achieve the 
objectives of this rulemaking. In particular, the Board has tailored 
the requirements to focus on specific disclosures that should be most 
useful to PCAOB staff in its oversight of audit firms and to investors, 
audit committees, and others in their decision-making and evaluation of 
audit firms.
Final Amendments
    The final amendments will revise the annual and special reporting 
framework in the following ways:
     Revise the annual reporting form (``Form 2'' or the 
``Annual Report Form'') to require more information regarding a firm's 
network arrangements; leadership and governance structure; and fees 
collected, and implement a new requirement for the largest accounting 
firms to confidentially submit financial statements to the PCAOB in a 
specified manner.
     Revise the special reporting form (``Form 3'' or the 
``Special Reporting Form'') to expand the scope of special reporting 
for a subset of firms to include (on a confidential basis) events that 
pose a material risk, or represent a material change, to the firm's 
organization, operations, liquidity or financial resources, in such a 
manner that they will affect the provision of audit services 
(``material event reporting''); and to require material event reporting 
within 14 days or more promptly as warranted;
     Implement new cybersecurity reporting requirements, 
including reporting of significant cybersecurity incidents within five 
business days on a confidential basis and public reporting of a brief 
description of a firm's policies and procedures, if any, to identify, 
assess, and manage cybersecurity risks; and
     Implement a new form (``Update to the Statement of 
Applicant's Quality Control Policies and Procedures'' or ``Form QCPP'') 
to capture updates to a firm's quality control policies currently 
provided in a firm's application for registration (Form 1).
Key Changes From the Proposal
    In consideration of comments received, the Board has modified the 
final amendments in certain respects, including the following changes:
     Fee Reporting: The Board streamlined the fee disclosure 
requirements to reduce disaggregation as compared to the proposal. The 
final amendments will require that firms report the existing fee 
disclosure categories in actual amounts (as opposed to percentages), 
plus broker-dealer fees, and total fees for all clients. These changes 
are to clarify, reduce burden, and focus the requirement on information 
that provides insight into a firm's audit practice.
     Financial Statements: The Board adopted the requirement 
for the largest firms to provide financial statements to the PCAOB 
confidentially, but has eliminated the requirement to prepare them in 
accordance with an applicable financial reporting framework. Instead, 
the Board has prescribed certain minimum requirements for the financial 
statements. This change is to mitigate the costs of this requirement 
for firms while still ensuring the reporting requirement results in 
improved standardization to improve the Board's insight into a firm's 
practice, focus, and incentives, and inform the PCAOB's oversight of 
registered firms.
     Governance and Network Reporting: The Board has adopted 
the requirements related to firm governance and network arrangements 
with modifications to streamline the requirements, increase clarity, 
and further focus requirements on the registered entity's audit 
practice.
     Special Reporting: The Board has not adopted the proposal 
to accelerate the Form 3 reporting deadline, except that material event 
reporting and cybersecurity incident reporting are required to be 
reported under the proposed accelerated timeframes. This change is 
intended to ease the burden, particularly for smaller firms, while 
still requiring timely reporting of events of sufficient significance 
and urgency to warrant more prompt reporting. The Board has adopted the 
material event reporting requirement with modifications to clarify, 
ease implementation, and better focus the requirement on information 
relevant to a firm's audit practice. In addition, the Board has limited 
the firms subject to the material event reporting requirement to those 
that are annually inspected, i.e., firms that provide audit opinions 
for more than 100 issuers annually.

[[Page 96714]]

     Cybersecurity Incident Reporting: The Board has adopted 
the proposed requirements with modifications to language for clarity 
and to better link disclosures to the firm's audit practice.
Effective Date
    For annual and special reporting requirements, the Board has 
adopted phased implementation to give smaller firms more time to 
develop and test the necessary tools to comply with the requirements. 
For the first phase, the final amendments will become effective as of 
March 31, 2027, or two years after approval of the requirements by the 
U.S. Securities and Exchange Commission (SEC), whichever occurs later. 
The first phase applies to the largest firms as defined in new rule 
4013. For the second phase, the final amendments will become effective 
one year after the first. The second phase applies to all other firms 
subject to the reporting requirements.
    For Form QCPP, the Board has aligned the effective date for Form 
QCPP with the effective date for QC 1000. Thus, the final amendments 
will become effective December 15, 2025 and the deadline for filing is 
30 days thereafter on January 14, 2026.
    This release provides background on the Board's rulemaking project, 
discusses comments received, and includes an economic analysis that 
further considers the need for rulemaking and the anticipated economic 
impacts of the Board's approach. Appendix 1 sets forth the text of the 
form modifications, a new form, and rule amendments.
(b) Statutory Basis
    The statutory basis for the proposed rules is Title I of the Act.

B. Board's Statement on Burden on Competition

    Not applicable. The Board's consideration of the economic impacts 
of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From 
Members, Participants or Others

    The Board released the proposed rule amendments for public comment 
in PCAOB Release No. 2024-003 (April 9, 2024). The Board received 36 
written comment letters. The Board has carefully considered all 
comments received. The Board's response to the comments it received and 
the changes made to the rules in response to the comments received are 
discussed below.
Background and Key Considerations
Current Reporting Framework
    Section 102(d) of Sarbanes-Oxley provides that each registered 
public accounting firm shall submit an annual report to the Board and 
may also be required to report more frequently ``such additional 
information as the Board or the Commission may specify.'' \9\ In 2008, 
the Board adopted rules and forms to govern and facilitate annual 
reporting of certain information and to require, govern, and facilitate 
special reporting of certain other information if specified events 
occur.\10\
---------------------------------------------------------------------------

    \9\ Section 102(d) of Sarbanes-Oxley provides:
    Each registered public accounting firm shall submit an annual 
report to the Board, and may be required to report more frequently, 
as necessary to update the information contained in its application 
for registration under this section, and to provide to the Board 
such additional information as the Board or the Commission may 
specify, in accordance with subsection (b)(2).
    \10\ See Rules on Periodic Reporting by Registered Public 
Accounting Firms, PCAOB Rel. No. 2008-004 (June 10, 2008).
---------------------------------------------------------------------------

    The Board specified that the reporting requirements were intended 
to serve three fundamental purposes. First, firms were required to 
report information to keep the PCAOB's records current about such basic 
matters as the firm's name, location, contact information, and 
licenses. Second, firms were required to report information reflecting 
the extent and nature of the firm's audit practice to facilitate 
analysis and planning related to the PCAOB's inspection 
responsibilities, to inform other PCAOB functions, and to provide 
potentially valuable information to the public. Third, firms were 
required to report circumstances or events that could merit follow-up 
through the PCAOB's inspection or enforcement processes, and that may 
otherwise warrant being brought to the public's attention (such as a 
firm's withdrawal of an audit report in circumstances where the 
information is not otherwise publicly available).\11\
---------------------------------------------------------------------------

    \11\ See id. at 6.
---------------------------------------------------------------------------

    The current reporting framework includes two types of reporting 
obligations. First, it requires each registered firm to provide basic 
information once a year about the firm and the firm's audit practice 
over the most recent 12-month period. The firm must do so by filing an 
annual report on Form 2. Second, upon the occurrence of specified 
events, a firm must report certain information by filing a special 
report on Form 3. The Board has not substantively revisited the annual 
and periodic reporting framework set forth on Forms 2 and 3 since their 
adoption in 2008.
    At the time, the Board noted that, by adopting these requirements, 
it did ``not mean to suggest that the information encompassed by these 
rules is the only information that the Board will require firms to 
report under Section 102(d) of the [Sarbanes-Oxley] Act.'' To the 
contrary, the Board noted that it ``may identify other useful 
requirements by, for example, monitoring public discussion of relevant 
issues or considering disclosure requirements in other auditor 
regulatory regimes,'' specifically citing the work of the Department of 
the Treasury's Advisory Committee on the Auditing Profession (ACAP) as 
a potential area of interest.\12\
---------------------------------------------------------------------------

    \12\ See id. at 4-5.
---------------------------------------------------------------------------

    In 2008, the Board adopted Form 4, Succeeding to Registration 
Status of Predecessor, which permits a registered public accounting 
firm's registration status to continue with an entity that survives a 
merger or other change in the firm's legal form.\13\ Also, in 2015, the 
Board adopted rules to require registered firms to file Form AP to 
disclose the names of engagement partners and certain information about 
other accounting firms that participated in their audits of public 
companies.\14\ Form AP requires information specific to particular 
audit engagements, rather than information that is firmwide and 
operational in nature.
---------------------------------------------------------------------------

    \13\ See Rules on Succeeding to the Registration Status of a 
Predecessor Firm, PCAOB Release No. 2008-005 (July 29, 2008).
    \14\ See Improving the Transparency of Audits: Rules to Require 
Disclosure of Certain Audit Participants on a New PCAOB Form and 
Related Amendments to Auditing Standards, PCAOB Release No. 2015-008 
(Dec. 15, 2015).
---------------------------------------------------------------------------

    In addition, in May 2024, the Board adopted new requirements (QC 
1000, A Firm's System of Quality Control) for an audit firm's system of 
quality control (QC) that included, among other things, the requirement 
that a firm report to the Board annually the outcome of the evaluation 
of the firm's QC system with respect to any period during which the 
firm was required to implement and operate the QC system.\15\ QC 1000 
was approved by the SEC in September 2024.
---------------------------------------------------------------------------

    \15\ See A Firm's System of Quality Control and Other Amendments 
to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 2024-005 (May 
13, 2024).
---------------------------------------------------------------------------

    Finally, in Firm and Engagement Metrics, the Board has concurrently 
adopted public reporting of standardized firm- and engagement-level 
metrics regarding a firm's audit work and audit practice. In 
particular, the Board has adopted metrics in the following areas: 
partner and management involvement; workload; training hours for audit 
personnel;

[[Page 96715]]

experience of audit personnel; industry experience; retention of audit 
personnel; allocations of audit hours; and restatement history.
Developments Since the Implementation of the Current Framework
    The Board has considered various developments since the adoption of 
the current annual and special reporting framework, including the 
following:
     The staff's experience with the current reporting 
framework;
     The issuance, and the staff's continued assessment, of the 
ACAP Final Report to the Department of the Treasury (``ACAP Final 
Report''), including (1) recommendations for the PCAOB to enhance firm 
reporting and monitoring and (2) its emphasis on the risk that the 
failure of a large audit firm could have disruptive effects on the 
ability of firms to conduct quality audits and on the audit market;
     Audit firm transparency initiatives in other 
jurisdictions, including certain mandatory reporting requirements, the 
development of voluntary transparency reporting in the United 
States,\16\ and studies of the effects of enhanced transparency on 
audit quality and investor confidence;
---------------------------------------------------------------------------

    \16\ See, e.g., CAQ, Audit Quality Report Analysis: A Year in 
Review (Mar. 2023), available at https://www.thecaq.org/aqr-analysis-yir. In 2023, the CAQ published a summary analysis of the 
most recent audit quality reports issued by the eight firms 
represented on the CAQ's Governing Board. The CAQ report noted that 
some firms disclosed qualitative as well as quantitative 
information, including information relating to audit methodology and 
execution, people and firm culture, quality management and 
inspections, and technology and innovation.
---------------------------------------------------------------------------

     PCAOB outreach and activities regarding audit firm 
transparency;
     The growing risk to audit firms from cyberattacks and 
cyberbreaches and the increase of such incidents at audit firms; \17\ 
and
---------------------------------------------------------------------------

    \17\ See Gary Salman, The rise of cybercrime in the accounting 
profession continues, Accounting Today Online (Aug. 24, 2020); see 
also Maggie Miller, FBI sees spike in cyber crime reports during 
coronavirus pandemic, The Hill (Apr. 16, 2020); see also Karen 
Nakamura, Cybersecurity risk: Constant vigilance required, Journal 
of Accountancy (Sept. 1, 2022). See also Department of Homeland 
Security, Cyber Safety Review Board to Conduct Second Review on 
Lapsus$ (Dec. 2, 2022), available at https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus; Tim 
Starks, The Latest Mass Ransomware Attack Has Been Unfolding For 
Nearly Two Months, Washington Post (Mar. 27, 2023).
---------------------------------------------------------------------------

     The comments submitted to the PCAOB on the Firm Reporting 
proposal.
1. Staff Experience With the Current Framework
    The staff has at times received important information from 
registered firms on a voluntary ad hoc basis rather than pursuant to 
required reporting or through any formal mechanism. Examples of such ad 
hoc reporting include changes in leadership, reductions in workforce, 
pending merger transactions, and cybersecurity incidents. In addition, 
the staff routinely requests certain information from firms, including 
business and financial metrics, to inform inspection planning and 
scoping that may be more efficiently collected in a standardized form 
via periodic or special reporting. Finally, the staff has at times 
found voluntarily and mandatorily reported information to be 
incomplete, inaccurate, or insufficiently detailed. For example, the 
staff has at times found fee information reported on the Annual Report 
Form insufficiently specific, inconsistently reported from year-to-year 
with respect to methodology, or not reported in accordance with form 
instructions, which has inhibited the degree to which the information 
can effectively inform the PCAOB's statutory oversight function.
2. ACAP Final Report
    In October 2008, after the Board's adoption of Forms 2 and 3, the 
ACAP--a committee of business leaders, investors, former SEC staff 
members, and accounting professionals that had studied the auditing 
profession for one year--issued the ACAP Final Report with 
recommendations for the SEC, PCAOB, and auditing profession. In 
presenting the ACAP Final Report, the ACAP co-chairs contended that 
``[t]he major auditing firms are key actors in the public securities 
markets'' and ``must comply with the same principles of transparency 
that the Board asks of other major market actors, both for the sake of 
the credibility of the market system as a whole, and for the 
credibility and long-term health of the firms themselves.'' \18\
---------------------------------------------------------------------------

    \18\ ACAP Final Report at II:6.
---------------------------------------------------------------------------

    The ACAP Final Report included the following recommendations, among 
others, for the PCAOB:
     Monitor potential sources of catastrophic risk which would 
threaten audit quality; and
     Create a requirement for larger auditing firms to produce 
a public annual report including, among other things, information 
required by the European Union's transparency report, and to file on a 
confidential basis with the PCAOB audited financial statements.\19\
---------------------------------------------------------------------------

    \19\ Id. at VII:20, VIII:10. The ACAP Final Report included 
recommendations in three areas: (i) concentration and competition, 
(ii) firm structure and finance, and (iii) human capital. The two 
bulleted recommendations come from areas (i) and (ii). The Board has 
addressed other ACAP recommendations by, for example, adopting Form 
AP which is in part responsive to an ACAP recommendation that the 
PCAOB undertake a standard-setting initiative to consider mandating 
the engagement partner's signature on the auditor's report.
---------------------------------------------------------------------------

    In making these recommendations, the ACAP noted that the PCAOB was 
``uniquely qualified to monitor the firms'' and that monitoring for 
disruptions to the market that could threaten audit quality was 
consistent with the PCAOB's mission and mandate.\20\ Within the report, 
Treasury Secretary Henry Paulson noted the importance of striking a 
balance between investor protection and market competitiveness, while 
the ACAP co-chairs highlighted a related goal of reducing the barriers 
for smaller firms to enter the public company audit market.\21\ This 
release and the pursuant economic analysis consider these overarching 
principles in connection with these requirements.
---------------------------------------------------------------------------

    \20\ Id. at VII:24, VIII:11.
    \21\ Id. at D:3, II:5.
---------------------------------------------------------------------------

    The Board agrees that its mandate extends to monitoring firms and 
the audit market for disruptions, including those related to firm 
viability, staffing, or potential legal liabilities.\22\ For example, 
in the event of a solvency-threatening event at an audit firm, the 
Board would need adequate information to assess whether that failure 
may have a disproportionate impact on a particular sector and the 
extent to which other audit firms are positioned to absorb the 
threatened firm's companies under audit.\23\ The Board would also need 
adequate information to respond to inquiries from its oversight 
authorities, the SEC and Congress, to share pertinent information with 
other regulators as appropriate, and to consider appropriate guidance 
regarding transitioning audit clients.
---------------------------------------------------------------------------

    \22\ See Section 101(c)(5) of Sarbanes-Oxley, which provides, in 
addition to performing core functions such as registrations and 
inspections, the Board's duties extend to ``perform[ing] such other 
duties or functions as the Board (or the Commission, by rule or 
order) determines are necessary or appropriate to promote high 
professional standards among, and improve the quality of audit 
services offered by, registered public accounting firms and 
associated persons thereof, or otherwise to carry out this Act, in 
order to protect investors, or to further the public interest.''
    \23\ For the purposes of this standard, the phrase ``issuer 
under audit'' or ``company under audit'' has the same meaning as 
``audit client'' under PCAOB Rule 3501(a)(iv).
---------------------------------------------------------------------------

    Some comment letters on the proposal supported the PCAOB's efforts 
to fulfill the ``long overdue'' ACAP recommendation to require audit 
firms to uniformly disclose certain information about their 
organization

[[Page 96716]]

and operations and for larger audit firms to issue audited financial 
statements. On the other hand, one commenter pointed to the costs of 
implementing this release's disclosure regime and stated that Treasury 
Secretary Henry Paulson in the ACAP Final Report emphasized the 
importance of striking a balance between investor protection and market 
competitiveness, and the ACAP co-chairs highlighted a goal of reducing 
the barriers for smaller firms to enter the public company audit 
market. Another commenter stated that the ACAP Final Report's 
recommendations are advisory and unconstrained by determinations of 
PCAOB authority.
    As explained throughout this release, the Board believes that the 
adopted amendments will ultimately enhance investor protection and 
improve audit quality while not unduly burdening firms. In addition, 
the Board discusses the ACAP Final Report as appropriate context for it 
to consider in the course of this rulemaking, not as binding on the 
Board nor as conferring any authority on the Board.
3. Transparency Reporting Developments
    Currently, in certain other jurisdictions, audit firms disclose 
governance and other information according to legal and regulatory 
frameworks, including those imposed by authorities in the European 
Union, the United Kingdom, Japan, and Canada. For example, the European 
Union's transparency report requires a description of the legal 
structure and ownership of the audit firm, network-related information, 
a description of the governance structure of the audit firm, 
information concerning the basis for the partners' remuneration, and 
information regarding revenue, including disaggregation of revenue from 
audit and non-audit services.\24\
---------------------------------------------------------------------------

    \24\ See Regulation (EU) No 537/2014 of the European Parliament 
and of the Council of 16 April 2014 on specific requirements 
regarding statutory audit of public-interest entities and repealing 
Commission Decision 2005/909/EC Text with EEA relevance at Article 
13, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014R0537.
---------------------------------------------------------------------------

    In 2021, the International Forum of Independent Audit Regulators 
(IFIAR) published a report analyzing developments in the audit market, 
including developments in transparency reporting.\25\ Discussing a 
survey of IFIAR members, the report noted that, of 50 respondents, 36 
had adopted transparency reporting by audit firms and, of those 36, 27 
had done so on a mandatory basis.\26\ The report further observed that, 
while transparency reporting may vary from jurisdiction to 
jurisdiction, transparency reports generally include ``information 
related to governance and commitments of each firm including but not 
limited to legal/governance structure; relationships with an audit firm 
network; quality control system and outcomes; tone at the top; 
development of qualified professionals; financials; and responses to 
relevant regulations.'' \27\
---------------------------------------------------------------------------

    \25\ See IFIAR, Internationally Relevant Developments in Audit 
Markets (July 20, 2021), available at https://www.ifiar.org/?wpdmdl=13063.
    \26\ See id. at 24.
    \27\ See id. at 23-24 (footnote omitted).
---------------------------------------------------------------------------

    Recent academic studies support these initiatives, having found 
that audit firms subject to transparency regulations display 
improvement in audit quality, and transparency is associated with 
improved investor confidence,\28\ as discussed more fully in the 
release's economic analysis.
---------------------------------------------------------------------------

    \28\ See, e.g., Shireenjit K Johl, Mohammad Badrul Muttakin, 
Dessalegn Getie Mihret, Samuel Cheung, and Nathan Gioffre, Audit 
firm transparency disclosures and audit quality, 25 International 
Journal of Auditing 508 (2021); Fabio La Rosa, Carlo Caserio, and 
Francesca Bernini, Corporate Governance of Audit Firms: Assessing 
the usefulness of transparency reports in a Europe[hyphen]wide 
Analysis, 27 Corporate Governance: An International Review 14 
(2018).
---------------------------------------------------------------------------

    Many firms also voluntarily disclose governance and other 
information in transparency reports. For example, one audit quality 
disclosure framework published in 2023 seeks to support those firms' 
efforts with a disclosure framework ``to assist firms in their ongoing 
efforts to determine, assess, and communicate information that may be 
useful to stakeholders in understanding how audit quality is supported 
and monitored at the firm level.'' \29\ Among other things, the model 
disclosure framework emphasizes governance disclosures, noting that 
``organizational structure and composition of a firm's governing body, 
leadership team, internal committees, professional practice group 
(e.g., national office or similar body), audit quality networks, and 
partnerships/alliances (for example) give insight into who is 
responsible for oversight of audit quality initiatives.'' \30\
---------------------------------------------------------------------------

    \29\ See CAQ, Audit Quality Disclosure Framework (Update) (June 
2023), available at https://thecaqprod.wpenginepowered.com/wp-content/uploads/2023/06/caq_audit-quality-disclosure-framework-update_2023-06.pdf.
    \30\ See id.
---------------------------------------------------------------------------

    As another example, in 2015, after yearslong public engagement and 
study, the International Organization of Securities Commissions (IOSCO) 
published a report.\31\ In connection with this consultation, IOSCO 
observed that ``[m]ost investors, audit oversight bodies, and banking 
and securities regulators expressed views that increased transparency 
reporting should be an obligation of audit firms and that such 
reporting could have direct or indirect benefits, including a favorable 
impact on audit quality.'' \32\ IOSCO further noted that ``user/
investor groups and auditor oversight bodies and regulators expressed 
support for the full range of transparency reporting discussed in the 
Consultation Paper,'' which included information related to audit firm 
governance, audit firm financial statements, and audit quality 
indicators.\33\ Respondents from the audit profession, the report 
notes, ``broadly supported transparency reporting related to audit firm 
organization and governance, to make the structure of the firm more 
transparent to stakeholders, but had mixed views on transparency 
reporting of audit firm operational metrics and performance statistics 
that might serve as audit quality indicators, especially with respect 
to public reporting of such information.'' \34\
---------------------------------------------------------------------------

    \31\ See IOSCO, Transparency of Firms that Audit Public 
Companies Final Report (Nov. 2015), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD511.pdf.
    \32\ See IOSCO, Comments Received in response to Consultation 
Reports on Issues Pertaining to the Audit of Publicly Listed 
Companies (2010), at 12, available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD337.pdf.
    \33\ See id. at 12-14.
    \34\ See id. at 13.
---------------------------------------------------------------------------

    In issuing its report, IOSCO observed that ``in comparing audit 
firms competing for an audit engagement, audit firm transparency 
reporting can aid those responsible for selecting a public company's 
auditor in their decision making process by providing information on a 
firm's audit quality,'' and that ``[t]ransparency reporting can foster 
internal introspection and discipline within audit firms and may 
encourage audit firms to sharpen their focus on audit quality, which 
would also be of benefit to investors and other stakeholders.'' \35\ 
The report contended that an audit firm transparency report could be 
considered of high quality if the information in the report included, 
among other elements, information about the audit firm's legal and 
governance structure.\36\
---------------------------------------------------------------------------

    \35\ See IOSCO, Transparency of Firms (2015), at 1.
    \36\ See id.
---------------------------------------------------------------------------

    Thus, there is substantial transparency reporting by audit firms, 
including but not limited to audit firm financial, governance, and 
network-related information, both in response to regulatory 
requirements and to market demands. Much of this reporting, moreover, 
provides information beyond what is currently required by the

[[Page 96717]]

PCAOB's periodic and special reporting requirements.
    Some commenters on the proposal acknowledged that transparency 
reports have not completely resolved the present opacity with respect 
to various aspects of audit firms and that the Board's proposed 
revisions would mitigate this lack of transparency. In contrast, some 
commenters stated that voluntary transparency reports already contain 
some of the information the Board has requested or that the PCAOB 
should more closely study such reports to pinpoint any duplicative 
disclosure requirements. The Board agrees that some firms already 
disclose some of the information in the final amendments in voluntary 
transparency reports. But the Board's analysis indicates such 
information is not consistent or comparable across firms or even year 
to year for the same firms. The Board continues to believe that 
voluntary transparency reporting has not sufficiently mitigated audit 
firm opacity, and that the final amendments will promote further 
transparency and enhance standardization and comparability of available 
information.
4. PCAOB Advisory Group Input
    The PCAOB's June 2022 Investor Advisory Group (IAG) meeting 
included discussion of audit firm transparency, including support for 
reporting measures of audit quality and other outstanding ACAP 
recommendations.\37\ For example, during an IAG discussion that was 
focused on the relationship between a firm's audit practice and the 
firm's overall business, an IAG member urged the PCAOB to revisit 
ACAP's recommendations and noted ACAP's emphasis on governance, 
leadership, and structure and business model.\38\ Moreover, the IAG 
previously discussed the status of ACAP recommendations, including the 
recommendation for large firms to submit financial statements, which 
generated support from IAG members.\39\ For example, discussing the 
importance of audit firms, an IAG member stated that ``the investor 
community strongly believes that . . . it is only reasonable to expect 
some level of disclosure about the manner in which the firms are 
governed and about their financial strength and sustainability that is 
much greater than the information that's provided today.'' \40\ Members 
of the IAG submitted a comment letter to the Proposal, in which they 
expressed support for the Proposal's fulfillment of the 2008 ACAP 
recommendation and discussed how the proposal would allow investors to 
make more informed decisions and assist the PCAOB in exercising its 
oversight responsibilities.
---------------------------------------------------------------------------

    \37\ See PCAOB Investor Advisory Group Meeting (June 8, 2022), 
available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-2022.
    \38\ See PCAOB Investor Advisory Group Meeting (June 8, 2022), 
Transcript, at 127:2; 152:18.
    \39\ See PCAOB Investor Advisory Group Meeting (Oct. 27, 2016); 
see also Steven B. Harris, Board Member, PCAOB, Audit Industry 
Concentration and Potential Implications, address at the 2017 
International Institute on Audit Regulation (Dec. 7, 2017), 
available at https://pcaobus.org/news-events/speeches/speech-detail/audit-industry-concentration-and-potential-implications_674. (``At 
this year's IAG meeting, members recommended by unanimous consent 
that the Big Four provide annual audited financial statements.'').
    \40\ See PCAOB Investor Advisory Group Meeting (Oct. 27, 2016) 
Meeting Transcript, at 179:16, available athttps://
assets.pcaobus.org/pcaob-dev/docs/default-source/news/events/documents/102716-iag-meeting/iag-meeting-transcript-10-27-16.pdf?sfvrsn=5cb1d454_0.
---------------------------------------------------------------------------

    The September 26, 2024 meeting of the PCAOB's IAG included a 
discussion of audit firm ownership structures and funding arrangements, 
during which members observed a lack of reporting in this area.\41\
---------------------------------------------------------------------------

    \41\ See PCAOB Investor Advisory Group Meeting (Sept. 26, 2024), 
available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024.
---------------------------------------------------------------------------

5. Cybersecurity Developments
    Cybersecurity incidents have increased in recent years in size, 
frequency, and sophistication. Federal financial regulators have 
responded by imposing new cyber-specific reporting requirements. For 
example, the SEC has adopted new cybersecurity reporting requirements 
for public companies and proposed new cybersecurity reporting 
requirements for investment managers.\42\ In proposing certain of these 
requirements, the SEC noted that
---------------------------------------------------------------------------

    \42\ See Cybersecurity Risk Management, Strategy, Governance, 
and Incident Disclosure, SEC Rel. No. 33-11216 (July 26, 2023); 
Cybersecurity Risk Management for Investment Advisers, Registered 
Investment Companies, and Business Development Companies, SEC Rel. 
No. 33-11028 (Feb. 9, 2022).

[t]he U.S. securities markets are part of the Financial Services 
Sector, one of the sixteen critical infrastructure sectors whose 
assets, systems, and networks, whether physical or virtual, are 
considered so vital to the United States that their incapacitation 
or destruction would have a debilitating effect on security, 
national economic security, national public health or safety, or any 
combination thereof.\43\
---------------------------------------------------------------------------

    \43\ SEC Rel. No. 34-97142, at 8.

---------------------------------------------------------------------------
    The SEC has further noted that

[c]ybersecurity risks have increased for a variety of reasons, 
including the digitalization of registrants' operations; the 
prevalence of remote work, which has become even more widespread 
because of the COVID-19 pandemic; the ability of cyber-criminals to 
monetize cybersecurity incidents, such as through ransomware, black 
markets for stolen data, and the use of crypto-assets for such 
transactions; the growth of digital payments; and increasing company 
reliance on third party service providers for information technology 
services, including cloud computing technology.\44\
---------------------------------------------------------------------------

    \44\ See Cybersecurity Risk Management, Strategy, Governance, 
and Incident Disclosure, SEC Rel. No. 33-11038 (Mar. 9, 2022), at 6-
7 (footnotes omitted).

    Bank regulators now require that certain banks and their service 
providers notify regulators within 36 hours of cybersecurity incidents 
that have ``materially disrupted or degraded'' the organization.\45\ In 
adopting these requirements, the banking regulators noted that 
``[c]yberattacks targeting the financial services industry have 
increased in frequency and severity in recent years.'' \46\
---------------------------------------------------------------------------

    \45\ See Computer-Security Incident Notification Requirements 
for Banking Organizations and Their Bank Service Providers, 86 FR 
66424 (Nov. 23, 2021).
    \46\ Id. at 66425 (footnote omitted).
---------------------------------------------------------------------------

    PCAOB staff experience indicates that the cybersecurity landscape 
faced by audit firms continues to evolve and that cybersecurity 
incidents at audit firms are increasing in both volume and complexity. 
Accounting and financial data may be particularly attractive targets 
for such attacks.\47\ Some reports suggest that cyberattacks on 
accounting firms increased by 300 percent in the several months after 
the onset of the COVID-19 pandemic.\48\
---------------------------------------------------------------------------

    \47\ See Chris Gaetano, More than a third of orgs had 
accounting-related cyber incidents, Accounting Today Online (Feb. 8, 
2023) (``A recent poll of C-suite and other executives from Big Four 
firm Deloitte showed evidence of this. It found that 34.5% of 
organizations have experienced at least one `cyber event' targeting 
accounting and financial data over the past year. Of these, 12.5% 
have experienced more than one. Executives don't expect this to ease 
up anytime soon either, as almost half--48.8%--expect that the 
number of cyber incidents will increase over the next year.'').
    \48\ See Gary Salman, The rise of cybercrime in the accounting 
profession continues, Accounting Today Online (Aug. 24, 2020); see 
also Maggie Miller, FBI sees spike in cyber crime reports during 
coronavirus pandemic, The Hill (Apr. 16, 2020).
---------------------------------------------------------------------------

    The September 26, 2024 meeting of the PCAOB's IAG included a 
discussion of cyber risks in external audits.\49\
---------------------------------------------------------------------------

    \49\ See PCAOB Investor Advisory Group Meeting (Sept. 26, 2024), 
available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024.
---------------------------------------------------------------------------

    The increased prevalence of cybersecurity incidents has 
implications for the operations of audit firms, the degradation of 
which could impact their provision of audit services, as well as for 
improper access to confidential data of issuers and individuals by bad 
actors and other third parties.
6. Rulemaking History
    On April 9, 2024, the Board proposed to amend its annual and 
special

[[Page 96718]]

reporting requirements in the following ways:
     Revise Form 2 to require more information regarding a 
firm's network arrangements; leadership and governance structure; and 
fees collected and client base, and implement a new requirement for the 
largest accounting firms to confidentially submit financial statements 
to the PCAOB on an annual basis and in conformity with an applicable 
reporting framework;
     Revise Form 3 to shorten the timeframe for reporting from 
30 days to 14 days (or more promptly as warranted), and expand the 
scope of special reporting to include (on a confidential basis) events 
that pose a material risk, or represent a material change, to the 
firm's organization, operations, liquidity or financial resources, or 
provision of audit services;
     Implement new cybersecurity reporting requirements, 
including reporting of significant cybersecurity incidents within five 
business days on a confidential basis and public reporting of a 
description of a firm's policies and procedures, if any, to identify, 
assess, and manage cybersecurity risks; and
     Implement new Form QCPP to capture updates to a firm's 
quality control policies currently provided in a firm's application for 
registration (Form 1).
    The Board received comment letters on the proposal from over 35 
commenters across a range of affiliations, including firms and firm-
related groups, investors and investor-related groups, trade groups, 
consultants, and others. Some commenters asked the PCAOB for more than 
60 days to respond to the proposal, citing overlapping comment proposal 
periods, the duration of comment periods, the length and complexity of 
various proposals, and overlapping SEC Form 19b-4 filing comment 
periods. Some commenters recommended the PCAOB engage in further 
outreach, or re-propose, before finalizing any new Firm Reporting 
requirements. The Board believes that 60 days was a sufficient period 
for comment on the proposal. The Board notes that it continued to 
receive comment letters that were submitted after the 60-day period 
closed and those letters are considered in this release. The Board 
received robust comments on the proposal, which have importantly 
informed the final amendments. The Board considers the comments 
throughout this release.
Improvements To Audit Firm Reporting Requirements
    The Board believes that the final amendments will improve audit 
firm reporting in several respects:
    Decision-useful information. The Board's oversight indicates that 
quantitative and qualitative aspects of firm structure, resources, and 
operations could impact the ability of firms to conduct quality audits, 
and therefore more public disclosure about registered firms will 
facilitate informed decision-making and risk assessment by investors 
and audit committees. As discussed further in the economic analysis, 
because standardized disclosures by audit firms support audit 
committees' and investors' abilities to identify a firm whose 
characteristics best meet investor needs regarding the audit, the final 
amendments will ultimately enhance the quality of audits. In this 
regard, the Board notes that the newly required information should be 
useful both on its own and in conjunction with other public information 
regarding audit firms, including, for example, the metrics included in 
Firm and Engagement Metrics, if approved by the SEC. The Board further 
believes enhanced firm transparency will improve investor confidence in 
public company audits because it will increase the information 
available to efficiently and effectively evaluate a firm for 
ratification.
    Some commenters, principally investor-related groups, supported the 
usefulness of the proposed information, including stating that the 
proposal can produce significant benefits to investors by providing 
information they currently do not have access to that can assist them 
in making more informed decisions about whether to vote to approve the 
ratification of the auditor or the election or reelection of board 
members, or in exercising their responsibilities for oversight of the 
audit committees of public companies. One commenter mentioned that the 
PCAOB would be able to standardize the information received, and 
mitigate the submission of incomplete, inaccurate, or insufficiently 
detailed information, thus facilitating the PCAOB's regulatory 
functions (i.e., firm monitoring, the inspection program, enforcement 
investigations, and the PCAOB's standard-setting process). Some 
commenters, principally firms or firm-related groups, questioned the 
usefulness of the proposed information, including stating that the 
proposed information does not appear to be relevant or useful to 
investors or audit committees and questioning how the proposed 
requirements would impact audit quality. One commenter stated its 
belief that investor decision-making is based on issuer financial 
performance and not information about the firms that audit those 
issuers, highlighting the audit committee's statutory responsibility to 
represent the needs of investors.
    In the discussion below, the Board summarizes and considers 
comments on this subject related to individual requirements, and sets 
forth the ways it is modifying the requirements in the final amendments 
to better focus on information that will be useful to stakeholders in 
their decision-making. In general, the Board continues to believe that 
enhanced information regarding audit firms will support audit 
committees' abilities to efficiently and effectively compare firms in 
their appointment decisions and monitoring efforts, and investors' 
abilities to efficiently and effectively compare firms in their 
ratification decisions and monitoring efforts, and in their capital 
allocation decisions. The required disclosures will also provide 
indirect benefits linked to audit quality, financial reporting quality, 
capital market efficiency, and competition, as discussed below.
    Data and information to support the PCAOB's regulatory mission. The 
Board believes that more reporting by registered firms will (1) 
facilitate monitoring of firms for risks or issues that may affect the 
ability of firms to conduct quality audits and may potentially affect 
the broader market for audit services; (2) facilitate analysis and 
planning related to the PCAOB's inspection program; (3) identify 
circumstances or events that may warrant or inform enforcement 
investigations; and (4) inform the PCAOB's standard-setting and 
rulemaking processes. The Board notes the PCAOB actively engages in 
policy research related to the market for assurance services to further 
the PCAOB's mission by informing the standard-setting agenda, among 
other things. The additional data provided by this proposal will 
enhance the PCAOB's ability to produce impactful research and translate 
that gained knowledge into improved standards and rules. Relatedly, the 
additional data will also provide valuable information sources for the 
public, including academic research. Improved research quality is an 
important benefit, as it is an important element of the PCAOB's 
standard-setting projects.
    Some commenters agreed that the proposed requirements would enhance 
the PCAOB's oversight, including

[[Page 96719]]

stating that the proposal would facilitate the PCAOB's regulatory 
functions, i.e., firm monitoring, the inspection program, enforcement 
investigations, and the PCAOB's standard-setting process. Some 
commenters questioned the usefulness of the information to the PCAOB's 
oversight, including stating that the PCAOB can require information 
through the inspection process. A commenter stated that, in terms of 
how the various disclosures enhance the PCAOB's regulatory function, 
each of the disclosures should be considered as to how individually or 
taken together it provides information on a firm's ability to conduct 
quality audits. In a section below, the Board summarizes and considers 
comments on this subject related to individual requirements, and sets 
forth the ways it is modifying the requirements in the final amendments 
to better focus on information that will yield information useful to 
the Board's oversight. In general, the Board continues to believe that 
requiring information through reporting requirements (in contrast to 
through the inspection process) will enhance the Board's oversight and 
operating effectiveness. Standardizing the information collected will 
facilitate comparison across firms and contribute to more effective use 
of inspection resources, more timely reporting of certain events will 
expedite the Board's efforts to identify regulatory tools and 
mechanisms in response to potential disruptions in the timely issuance 
of audit opinions under certain circumstances, and the improved data 
set will enhance standard-setting and rulemaking, as discussed in the 
economic analysis.
    Improved standardization of information. In addition to making more 
information available, formalizing reporting requirements will make the 
information more useful by increasing standardization and 
comparability. This will serve both public transparency interests and 
the PCAOB's regulatory function.
    Some commenters, principally firms or firm-related groups, 
questioned whether the proposed requirements would achieve 
comparability, including stating that firms vary significantly in size 
and structure making it more difficult to compare firm to firm, stating 
that comparison of the information reported is unlikely to result in a 
ranking or judgment of one firm being more qualified than others to 
serve as auditor for an issuer or broker dealer, and encouraging the 
Board to clarify the information to be reported to support 
comparability. Similarly, some commenters called for an alternative 
disclosure regime, including one commenter who suggested an alternative 
similar to the EU's principles-based system which could provide similar 
public benefits at much lower cost.
    In a discussion below, the Board summarizes and considers comments 
on this subject related to individual reporting requirements and 
discusses clarifications to reporting requirements which should support 
comparability. In general, the Board continues to believe that setting 
forth mandatory reporting requirements, as compared to voluntary 
reporting and/or supplemental or ad hoc information requests through 
the inspection process, will overall improve standardization and 
comparability of information available, as discussed in the economic 
analysis. At the same time, the reporting provisions permit narrative 
disclosures to accommodate the need for context for the reported 
information. The final amendments seek to balance the need for 
specificity in the requirements with the need to accommodate 
principles-based disclosure to permit judgment on the part of the firms 
regarding how to contextualize reported information.
    Improved timeliness of certain information. By requiring certain 
special reports on a shorter timeframe, namely material events and 
cybersecurity incidents, enhanced special reporting requirements will 
get useful information to the PCAOB more quickly. As discussed below, 
commenters raised questions on the need for more timely reporting of 
existing Form 3 events, and in consideration of these comments and the 
Board's reporting objectives, the Board determined not to adopt the 
acceleration of the Form 3 deadline for existing reporting items. 
However, the Board has adopted accelerated reporting deadlines for 
material events and cybersecurity incidents because those events are, 
by definition in the final amendments, significant and likely to 
represent issues meriting more urgent reporting. For those events, the 
Board continues to believe more accelerated reporting to the Board is 
appropriate and will enable the Board to respond to potential 
disruptions or alterations in audit firm operations appropriately.
Key Provisions of the Final Amendments
    In light of the above, the Board has enhanced the required 
reporting of certain information by registered firms:
     Financial Information: The Board has adopted amendments to 
require all registered firms to report on the Annual Report Form 
additional fee information, and to require the largest registered firms 
to confidentially submit financial statements to the PCAOB. The Board 
believes such information will provide insight into a firm's practice, 
focus, and incentives, and inform the PCAOB's oversight of registered 
firms. The Board also believes that public fee data will inform 
decision-making and risk assessment by investors, audit committees, and 
others.
     Governance Information: The Board has adopted amendments 
to require all registered firms to report on the Annual Report Form 
additional information regarding their leadership, legal structure, 
ownership, and other governance information, including reporting on 
certain key Quality Control operational and oversight roles. The Board 
believes that such information will help investors and audit committees 
to better understand firm processes and priorities, and to 
differentiate among firms with respect to, for example, leadership, 
oversight, and independence practices. Such information will also 
bolster the PCAOB's oversight of registered firms, complementing and 
improving upon the information already collected through the 
inspections process.
     Network Relationships: The Board has adopted amendments to 
require a more detailed public description on Form 2 of any network 
arrangement to which a registered firm is subject, including describing 
the network's structure, the registered entity's access to resources 
such as audit methodologies and training, whether the firm shares 
information with the network regarding its audits including whether the 
firm is subject to inspection by the network. The Board believes such 
information will give the PCAOB, investors and audit committees greater 
insight into how a network arrangement influences firm governance and 
the conduct of audits, including oversight and access to resources.
     Special Reporting: The Board has adopted amendments to 
implement a new confidential special reporting requirement for events 
material to a firm's organization, operations, liquidity or financial 
resources, such that they affect the provision of audit services. This 
provision is applicable to annually inspected firms. The Board believes 
that more formalized reporting of material events that will affect 
audit services will inform the PCAOB's oversight of registered firms 
and facilitate the Board's timely response to events that may 
potentially disrupt or alter the provision of audit services.
     Cybersecurity: The Board has adopted amendments to require 
prompt confidential reporting of significant

[[Page 96720]]

cybersecurity events on the Special Report Form and periodic public 
reporting of a brief description of the firm's policies and procedures, 
if any, to identify and manage cybersecurity risks on the Annual Report 
Form. The Board believes that reporting of such information will inform 
the PCAOB, investors, audit committees, and other stakeholders of 
critical information regarding the potential for disruptions of audit 
firm operations that may impact the provision of audit services and 
indicate potential compromises of individual or issuer information, and 
information regarding the audit firm's management of cybersecurity risk 
that will inform decision-making and risk assessment.
     Updated Description of QC Policies and Procedures: The 
Board has adopted a new form that will require any firm that registered 
with the Board prior to the date that QC 1000 becomes effective 
(December 15, 2025) to submit an updated statement of the firm's 
quality control policies and procedures pursuant to QC 1000. The Board 
believes it is important that firms update the statement regarding 
their quality control policies and procedures, originally made in 
connection with their registration application on Form 1, to reflect 
the changes to their policies and procedures made in response to the 
new quality control standard.
1. Authority
    As with the Board's original promulgations of Form 2 and Form 3, 
the Board's authority for the amendments and rules is well settled.\50\ 
Section 102(d) of Sarbanes-Oxley provides that ``Each registered public 
accounting firm shall submit an annual report to the Board, and may be 
required to report more frequently . . . to provide to the Board such 
additional information as the Board or the Commission may specify, in 
accordance with subsection (b)(2).'' Subsection 102(b)(2)(H), in turn, 
provides that ``Each public accounting firm shall submit, . . . in such 
detail as the Board shall specify . . . such other information as the 
rules of the Board or the Commission shall specify as necessary or 
appropriate in the public interest or for the protection of 
investors.'' This broad mandate leaves no doubt that the Board's 
authority rests on firm ground.
---------------------------------------------------------------------------

    \50\ See PCAOB Rel. No. 2008-004, at 4; see also Proposed Rules 
on Periodic Reporting by Registered Public Accounting Firms, PCAOB 
Release No. 2006-004, at 2 (May 23, 2006).
---------------------------------------------------------------------------

    First, under the plain text of Section 102(b)(2)(H), the amendments 
and rules need only be either (1) ``necessary'' or (2) ``appropriate,'' 
and either (a) ``in the public interest'' or (b) ``for the protection 
of investors.'' Each of the reporting requirements adopted in this 
release plainly satisfies multiple--and at least one (which is all that 
is required)--of the four permutations that provide an avenue of 
authority.
    As explained herein and in the proposal, the reporting of publicly 
available information will assist investors, and audit committees, 
among others, to better assess aspects of firm operations that may 
influence the conduct of audits. Both individually and collectively, 
this newly required information should provide a clearer, more complete 
picture of an audit firm and its capacity to perform audits.\51\ Such 
utility applies a fortiori when the information is used in conjunction 
with other publicly available data, including Form AP data and data 
from Firm and Engagement Metrics.
---------------------------------------------------------------------------

    \51\ To the extent that these benefits improve audit quality, 
they also should enhance the credibility of financial reporting. 
See, e.g., Mark DeFond and Jieying Zhang, A review of archival 
auditing research, 58 Journal of Accounting and Economics 275 (2014) 
(asserting that audit quality improves financial reporting quality 
by increasing the credibility of the financial reports).
---------------------------------------------------------------------------

    Confidentially reported information will similarly inform the 
Board, allowing the Board to learn about, or better understand, the 
operations of registered firms, providing a more comprehensive window 
into the health of registered firms and their capacity to perform 
audits. For instance, regular reporting of financial information by 
larger firms or special reporting of certain material events (e.g., a 
report on a firm's likely inability to continue as a going concern) 
will allow the Board to anticipate a potential firm closure, including 
by notifying downstream regulators (e.g., the Commission), which would 
allow those regulators to make appropriate preparations including, for 
example, issuing relief for affected issuers. Such a scenario is not 
merely hypothetical, as just this past year, the Commission issued an 
exemptive order for issuers to make certain Exchange Act filings in 
light of a registered firm shuttering its public company audit 
practice.\52\ In addition, such reporting would allow the Board to 
provide appropriate guidance to its registered firms related to, for 
example, obligations of successor auditors.
---------------------------------------------------------------------------

    \52\ Order under Section 36 of the Securities Exchange Act of 
1934 Granting Exemptions from Specified Provisions of the Exchange 
Act and Certain Rules Thereunder, SEC Release No. 34-100185 (May 20, 
2024).
---------------------------------------------------------------------------

    Information (whether reported publicly or confidentially) also will 
allow the Board to enhance or otherwise adjust its oversight as needed 
or as appropriate to protect investors and the public. Whether such 
enhancements or modifications to oversight take the form of inspection 
scoping, inspection frequency, or other regulatory actions, the result 
of the newly required disclosures is the same: the Board will have at 
its disposal greater information--both with respect to individual firms 
and trends across the audit market--to better oversee auditors of 
public companies, brokers, and dealers.
    Second, Section 102(b)(2)(H)'s use of ``appropriate'' evinces 
Congress's intent to grant significant discretion to the Board to 
determine what types of reporting is in the public interest or to 
protect investors. Indeed, such statutory language ``leave[s] [the 
Board] with flexibility'' \53\ and ``affords [the Board] broad policy 
discretion.'' \54\ That the new or enhanced reporting items described 
in the release fit neatly within the confines of that statutory 
discretion is evident by the enumerated categories of information that 
Congress required firms to disclose in Sarbanes-Oxley.
---------------------------------------------------------------------------

    \53\ Loper Bright Enters v. Raimondo, 144 S. Ct. 2244, 2263 
(2024) (quoting Michigan v. EPA, 576 U.S. 743,752 (2015) (quotation 
marks omitted)).
    \54\ Kisor v. Wilkie, 588 U.S. 558, 632 (2019) (Kavanaugh, J., 
concurring in the judgment) (``To be sure, some cases involve 
regulations that employ broad and open-ended terms like 
`reasonable,' `appropriate,' `feasible,' or `practicable.' Those 
kinds of terms afford agencies broad policy discretion, and courts 
allow an agency to reasonably exercise its discretion to choose 
among the options allowed by the text of the rule.'').
---------------------------------------------------------------------------

    For instance, Congress mandated that firms disclose in their 
application for registration ``annual fees received by the firm from 
each such issuer, broker, or dealer for audit services, other 
accounting services, and non-audit services, respectively,'' \55\ and 
``such other current financial information for the most recently 
completed fiscal year of the firm as the Board may reasonably 
request.'' \56\ It requires no straining of ``appropriate'' to conclude 
that requiring that the same or similar fee and financial information 
be submitted annually (as opposed to only upon registration) is of a 
piece with Sections 102(b)(2)(B) and (C) of Sarbanes-Oxley.\57\ That is 
especially so given that

[[Page 96721]]

Congress expressly contemplated that the Board would require firms to 
``update''--annually or ``more frequently''--``the information 
contained in [their] application[s] for registration.'' \58\ The Board 
made such a determination when it initially adopted fee reporting 
requirements on Form 2 in 2008 in the form percentages (e.g., audit 
fees billed to issuers as a percentage of all fees). The final 
amendments modestly build out the fee reporting requirements, as 
described in greater detail in below, by requiring reporting of fee 
amounts (rather than percentages) to increase the usefulness of the 
reported information by requiring the data in a form that lends itself 
to greater analysis (e.g., comparisons of size of audit practices 
across firms).
---------------------------------------------------------------------------

    \55\ Section 102(b)(2)(B) of Sarbanes-Oxley.
    \56\ Id. Section 102(b)(2)(C).
    \57\ That same reasoning applies to ``necessary'' in Section 
102(b)(2)(H) in Sarbanes-Oxley. See, e.g., Metrophones Telecommc'ns, 
Inc. v. Global Crossing Telecommc'ns, Inc., 423 F.3d 1056, 1068 (9th 
Cir. 2005) (``Given the reach of the [FCC's] rulemaking authority 
under Sec.  201(b)''--which granted to the FCC the ``broad power to 
enact such `rules and regulations as may be necessary in the public 
interest to carry out the provisions of this Act' ''--``it would be 
strange to hold that Congress narrowly limited the Commission's 
power to deem a practice `unjust or unreasonable.' ''); Brown v. 
Azar, 497 F. Supp. 3d 1270, 1281 (N.D. Ga. 2020) (``[W]hen an agency 
is authorized to `prescribe such rules and regulations as may be 
necessary in the public interest to carry out the provisions of the 
Act,' Congress' intent to give an agency broad power is clear.''), 
appeal dismissed as moot, 20 F.4th 1385 (11th Cir. 2021) (mem.).
    \58\ Id. Section 102(d).
---------------------------------------------------------------------------

    Similarly, Congress mandated that firms disclose ``a list of all 
accountants associated with the firm who participate in or contribute 
to the preparation of audit reports, stating the license or 
certification number of each such person, as well as the State license 
numbers of the firm itself.'' \59\ It strains credulity to think that 
the newly required disclosures--of the names of individuals serving in 
leadership positions, or of a firm's governance structure as a whole, 
or of a firm's network information--are outside the bounds of 
``appropriate'' in light of the information (and the granularity of 
such information) that Congress required of firms when applying for 
registration.\60\ Indeed, the Board originally construed network 
information as an appropriate subject of periodic reporting when the 
Board required it in 2008 when adopting Form 2. The final amendments 
merely require incremental additional information regarding network 
arrangements to increase the usefulness of the network disclosures by 
providing greater information regarding, for example, network members 
access to network resources.
---------------------------------------------------------------------------

    \59\ Id. Section 102(b)(2)(E) (emphasis added).
    \60\ Section 101 of Sarbanes-Oxley supplies ancillary authority 
for this rulemaking. For example, Section 101(c)(5) empowers the 
Board to ``perform such other duties or functions as the Board . . . 
determines are necessary or appropriate to . . . carry out this Act, 
in order to protect investors, or to further the public interest.'' 
In addition, Section 101(g)(1) provides rulemaking authority to the 
Board, specifying that the Board's rules ``provide for the operation 
and administration of the Board, the exercise of its authority, and 
the performance of its responsibilities under'' Sarbanes-Oxley.
---------------------------------------------------------------------------

    Some firm and firm-related groups questioned the Board's statutory 
authority to require the proposed information. Commenters believe that 
the Board's authority under Section 102(b)(2) is more limited than the 
Proposal's interpretation. One commenter stated that the Board's 
reliance on the phrase ``such other information'' in Section 
102(b)(2)(H) is constrained and, in analogizing to a Supreme Court 
ruling, expressed that ``statutory reference'' to the adoption of 
regulations that are ``necessary or appropriate'' does not give an 
agency ``authority to act, as it [sees] fit, without any other 
statutory authority.'' This commenter argued that the phrase ``such 
other information'' must refer to items ``similar in nature to those 
objects enumerated by the preceding specific words'' (i.e., the Board's 
authority to require the provision of ``other'' information under 
subsection (b)(2)(H) is limited to information of the type enumerated 
in subsections (b)(2)(A) through (b)(2)(G), which includes the names of 
clients, fees received from issuers and broker-dealers, certain other 
financial information, quality control policies, the names of 
accountants, criminal or civil proceedings, and instances of accounting 
disagreements). As explained above however, the required disclosures 
are in fact similar in nature to those statutorily enumerated reporting 
items and also fall within the Board's authority under subsection 
(b)(2)(H).
    Another commenter stated that none of the proposed requirements are 
covered under Sections 102(b)(2)(A) through (G), that the Sarbanes-
Oxley Act does not give the PCAOB authority to tell audit firms how to 
run their businesses, and that monitoring audit firm financial 
stability and market risk is not within the PCAOB's remit. That 
position, however, does not account for Congress's mandate that firms 
disclose on their registration applications ``annual fee [ ]'' and 
``current financial information,'' as set forth in Sections 
102(b)(2)(B) and (C) of Sarbanes-Oxley, and Congress's empowering the 
Board to require firms to ``update the information contained in [their] 
application[s] for registration'' annually or ``more frequently,'' as 
set forth in Section 102(d). Moreover, nothing in this rulemaking is 
intended to ``tell audit firms how to run their businesses.'' For 
example, the rulemaking does not contemplate a preferred governance 
structure for firms (let alone mandate such a structure); the 
rulemaking merely requires disclosure of a firm's governance structure, 
whatever that structure may be. Commenters also specifically asserted 
that the Board's rulemaking authority under Section 101(c)(5) is not a 
``catch all'' authority for the Board to adopt any rule that it deems 
in the public interest. One commenter expressed that this provision 
does not grant the Board the authority to engage in rulemaking, and the 
``public interest'' and ``necessary or appropriate'' clauses place the 
same constraints on the Board mentioned above. In other words, the 
commenter stated, a ``statutory reference'' to the performance of 
duties or functions that are ``necessary or appropriate'' does not give 
an agency ``authority to act, as it [sees] fit, without any other 
statutory authority.''
    Although the Board agrees that ``necessary'' and ``appropriate'' 
are not unbounded, they provide a broad degree of discretion and 
flexibility, as noted above and as recognized by courts.\61\ Moreover, 
Section 102(b)(2)(H) expressly contemplates the provision of ``other 
information'' the Board may require through rulemaking. Courts have 
described such statutory language as signifying ``a catch-all 
provision.'' \62\ In fact, based on its plain meaning, one appeals 
court has read ``other'' as necessarily introducing categories that are 
distinct from anything that preceded it, meaning that ``such other 
information'' in Section 102(b)(2)(H) need not ``address'' the types of 
information in Sections 102(b)(2)(A)-(G).\63\
---------------------------------------------------------------------------

    \61\ See supra footnotes 54 and 55 and accompanying text; see 
also footnote 58.
    \62\ Navajo Nation v. Dalley, 896 F.3d 1196, 1212 (10th Cir. 
2018); see also, e.g., Madison v. Virginia, 474 F.3d 118, 133 (4th 
Cir. 2006) (``other Federal statute prohibiting discrimination'' is 
a ``catch-all provision''); cf. Meehan v. Atl. Mut. Ins. Co., 2008 
WL 268805, at *7 (E.D.N.Y. Jan. 30, 2008) (``The term `other 
policies' now accomplishes the task of including all governmental 
activity and becomes a catch-all phrase including all other policies 
not already implied[.]'' (citations and quotation marks omitted)).
    \63\ Navajo Nation, 896 F.3d at 1212-13 (``Congress expressed 
its scope in broad terms, to encompass `any other subjects that are 
directly related to the operation of gaming activities.' But the key 
word here is `other.' . . . And applying the ordinary and everyday 
meaning of the word `other' . . . , it becomes patent that Congress 
did not intend for that clause to address the `subjects' covered in 
the preceding clauses of subsection (C)[.]'' (citation omitted)).
---------------------------------------------------------------------------

    Further, with respect to the assertion that Section 101(c)(5) is 
not a ``catch-all'' for the Board to adopt any rule it deems in the 
public interest, the Board notes that Section 101(c)(5) uses the same 
statutory language ``other'' as Section 102(b)(2)(H), discussed 
immediately above. For that reason, Section 101(c)(5) would be aptly

[[Page 96722]]

described as a ``catch-all'' provision,\64\ and the reporting 
requirements fit neatly within the bounds of the statute insofar as the 
Board has ``determine[d]'' them to be ``necessary or appropriate . . . 
to carry out [Sarbanes-Oxley], in order to protect investors, or to 
further the public interest.'' \65\ In all events, although Section 
101(c)(5) supplies an independent basis of authority, the Board's 
primary authority for the reporting requirements is Section 102 of 
Sarbanes-Oxley, and the Board's authority under Section 102 is not 
dependent on its authority under Section 101(c)(5).
---------------------------------------------------------------------------

    \64\ See supra footnote 63.
    \65\ Section 101(c)(5) of Sarbanes-Oxley.
---------------------------------------------------------------------------

    This release has outlined how the disclosures mandated will enhance 
transparency and bolster the PCAOB's oversight capabilities. Such 
enhancements are designed to improve PCAOB oversight and inform 
investor and audit committee decisions, and in turn to protect 
investors and enhance audit quality, fully aligning with the 
overarching objectives of Sarbanes-Oxley, and therefore are appropriate 
exercises of the Board's authority under Section 102.\66\
---------------------------------------------------------------------------

    \66\ In response to the concerns raised by firm commenters 
regarding the Board's use of Sarbanes-Oxley's relevant ``necessary 
and appropriate'' clauses, it is important to clarify that the Board 
has not claimed any implicitly delegated authority beyond the 
regulatory parameters established by Congress. The use of the 
Section 101 and 102 authorities in this rulemaking is firmly 
grounded within the explicit mandates provided by Sarbanes-Oxley, 
and is consistent with the statutory limitations and directives 
outlined in those provisions. The Board's application of these 
authorities has been aimed at enhancing transparency and regulatory 
oversight, and therefore ultimately the quality of audits of issuers 
and broker-dealers, which directly aligns with the PCAOB's core 
mission to protect investors and the public interest. The Board has 
utilized the tools provided by Sarbanes-Oxley to carry out the 
responsibilities entrusted to us.
---------------------------------------------------------------------------

    Other commenters specifically raised concern related to reporting 
requirements extending beyond a registered firm's issuer and broker-
dealer audit practice. In this vein, commenters raised authority 
concerns with respect to particular aspects of the proposed 
requirements:
     Fee reporting unrelated to issuer and broker-dealer 
audits.
     Financial statements reporting, which would include 
financial information beyond the audit practice.
     Cybersecurity incident reporting unrelated to a firm's 
issuer or broker-dealer audit practices.
     Governance reporting such as processes governing a change 
in the form of organization.
     Network-related reporting requirements which called for 
information regarding the registered entity's relationship to an 
unregistered entity.
     Material event reporting, which called for events material 
to the firm broadly.
    The PCAOB's statutory mandate is not circumscribed to information 
related specifically to issuer or broker-dealer audits. Indeed, Section 
102(b)(2)(B) expressly contemplates the provision of information 
relating to ``other accounting services'' and ``non-audit services.'' 
That makes sense, as information related to a registered firm's broader 
operations is relevant to the conduct of the audit practice.\67\ 
Nevertheless, the proposed requirements were crafted to elicit 
reporting regarding aspects of a firm's operations that are linked to 
its conduct of audits as described above, including the relationship of 
the audit practice to the overall business, firm and network resources 
available for the audit practice, and events at the firm level that 
will affect the firm's ability to conduct audits. In consideration of 
comments and the Board's intended reporting objectives, nearly all of 
the specific requirements listed above have been modified to more 
firmly link the reporting requirement to aspects of the firms' 
operations that may influence the conduct of audits overseen by the 
PCAOB, as described in more detail below.\68\
---------------------------------------------------------------------------

    \67\ See PCAOB Release No. 2006-004, at 4 (the Board describing 
that it intended fee reporting across all areas of the firm's 
business to provide a ``picture of how the firm's services for 
issuer audit clients compare generally with the firm's services for 
other clients, and [ ] also [to] provide a picture of the allocation 
of services the firm provided to issuer audit clients'').
    \68\ With respect to financial statement reporting, the Board 
has modified the requirement to reduce costs to firms as discussed 
below. In addition, the Board notes that the requirement as 
initially proposed (and as the Board has adopted) is already 
narrowly tailored to the largest firms, which have an outsize impact 
on the capital markets.
---------------------------------------------------------------------------

    Lastly, as noted above, the Board reiterates that the final 
amendments set forth reporting requirements and do not purport to 
regulate how audit firms conduct their businesses. The final rules do 
not impose obligations on firms beyond reporting certain specified 
information.
2. Confidentiality
Information To Be Reported Publicly
    The proposal clarified that certain of the information provided in 
response to the new reporting items would be reported publicly, namely 
enhanced fee information, governance and network information, and 
information related to a firm's policies and procedures, if any, that 
are intended to manage cybersecurity risks.\69\ The Board did not 
propose to permit confidential treatment requests for the publicly 
reported information. Permitting confidential treatment would be 
inconsistent with an important goal of these enhanced reporting 
requirements--informing investors, audit committees, and other 
stakeholders, and promoting investor confidence in public company 
audits and financial reporting. Moreover, the Board explained in the 
proposal that it believed public disclosure of the proposed information 
was consistent with Sarbanes-Oxley.
---------------------------------------------------------------------------

    \69\ The proposal also contemplated a public one-time update to 
the ``Statement of Applicant's Quality Control Policies,'' as 
discussed below.
---------------------------------------------------------------------------

    Specifically, Section 102(e) of Sarbanes-Oxley provides that 
reports required under that section ``shall be made available for 
public inspection, subject to rules of the Board or the Commission, and 
to applicable laws relating to the confidentiality of proprietary, 
personal, or other information.'' Additionally, it requires the Board 
to ``protect from public disclosure information reasonably identified 
by the subject accounting firm as proprietary information.'' Consistent 
with the approach the Board has taken in its consideration of 
confidential treatment requests for information required by its 
existing forms, the Board understands ``proprietary'' to mean a 
formula, practice, process, or design owned by a particular firm that 
the firm keeps private for competitive advantage.\70\ The Board did not 
believe at the time of the proposal that the information it proposed 
for public reporting would require disclosure of such proprietary 
information or, based on the Board's experience in this area, that any 
other law shields the proposed information from disclosure.
---------------------------------------------------------------------------

    \70\ See Black's Law Dictionary (11th ed. 2019) (cross 
referencing ``proprietary information'' and ``trade secret'').
---------------------------------------------------------------------------

    The Board believed that much of the information proposed to be 
publicly reported is of the type that is already made public in some 
form by audit firms, including in existing transparency reporting, or 
is otherwise publicly available (although not currently centralized or 
presented on a comparable basis), and the Board designed the proposed 
reporting requirements to avoid disclosure of personal-identifying or 
client-specific information that might be protected by law, or that 
would be proprietary as the Board understands the term.
    Some commenters expressed concerns that the Board's proposal would 
not permit confidential treatment requests

[[Page 96723]]

for the public reporting items. One commenter stated that Sarbanes-
Oxley recognizes the role of confidential information in registration, 
inspections, investigations, and disciplinary proceedings, including 
the importance of the PCAOB maintaining the confidentiality of 
proprietary, personal, or other information, and that the Board should 
allow audit firms to request confidential treatment of the other 
required public disclosures and evaluate these requests on a case-by-
case basis. One commenter stated that fee amounts are proprietary 
information that should be confidential. Some commenters stated that 
the proposal would require firms to disclose proprietary information 
regarding their network-related arrangements, including network-related 
financial information. A commenter stated the information called for by 
Form QCPP would be proprietary and stated generally many of the firm's 
operational plans and challenges are proprietary.
    Lastly, some commenters questioned the PCAOB's decision to require 
public reporting of some items, stating that the proposal does not give 
sufficient weight to the way Congress envisioned investors would be 
protected, which is through the PCAOB's inspection process, a process 
that Congress carefully structured with appropriate confidentiality 
safeguards to encourage robust exchanges of information and 
perspectives between the firms and the PCAOB.
    The reporting requirements have been modified in response to 
comments, as discussed below, to further reduce the possibility that 
they call for reporting proprietary information, including in 
connection with the network-related reporting requirements. The Board 
has further clarified in the release that the requirements are not 
designed to elicit proprietary information, that information is sought 
at a high enough level to exclude proprietary information, and that the 
requirements are sufficiently principles-based to provide flexibility 
in reporting, including as it relates to network-related information 
and Form QCPP. The Board further notes that issuer fee information is 
reported in SEC filings and therefore is already public. Lastly, the 
reporting requirements have been modified to limit the disclosure of 
individual names to all but the most senior positions. Thus, the Board 
believes that the final amendments do not require the disclosure of 
information that a firm could reasonably identify as proprietary, and 
that, based on the Board's experience, no other law shields the 
required information from disclosure.
    By adopting this approach, the Board believes that prohibiting 
confidential treatment requests for the carefully tailored public 
reporting items will further the public interest in increased 
transparency while adhering to its obligation to protect certain 
categories of firm information.
    In addition, the Board notes that Sarbanes-Oxley expressly provides 
for the public reporting of audit firm information. Comments suggesting 
that investor protection is principally achieved through non-public 
submission of information to the PCAOB through its inspection processes 
do not adequately account for this aspect of Sarbanes-Oxley. The Board 
has carefully weighed its authority and obligations under Sarbanes-
Oxley when considering what reporting to make public and what 
information to require on a non-public basis.
    Some commenters expressed general concerns regarding the disclosure 
of personal data by non-U.S. firms. The Board notes it is narrowing the 
category of individuals identified under the final rules to more senior 
roles likely to be public. See below for a more complete discussion of 
personal identifying information and provisions regarding conflicts of 
laws and non-U.S. firms, including that the Board has permitted 
assertions of conflicts in connection with the disclosure of certain QC 
roles.
Information To Be Reported Confidentially
    Under the proposal, certain other information would be provided to 
the PCAOB confidentially, namely special reporting of material events, 
cybersecurity incident reporting, and financial statements from the 
largest firms.\71\ In proposing not to make this information publicly 
available, the Board weighed the public interest in public reporting of 
this information, the potentially sensitive and developing nature of 
the information requested, and the Board's obligations under Sarbanes-
Oxley.
---------------------------------------------------------------------------

    \71\ Such information described herein would be reported 
confidentially without a need for the firm to request confidential 
treatment.
---------------------------------------------------------------------------

    With respect to material event reporting, the Board noted the 
potentially sensitive and developing nature of this information. For 
example, the material event reporting item contemplated advance 
reporting of events that are anticipated and may still be developing. 
Cybersecurity incident reports, similarly, may involve developing 
events. As detailed below, the Board believes the PCAOB has a 
regulatory interest in timely notice of these types of events. However, 
the Board believes firms may be in a better position to report fully 
and candidly to the PCAOB about developing events if they are confident 
that the information would be confidential and part of an ongoing 
dialogue between the firm and the PCAOB regarding such events.
    Further, with respect to cybersecurity incident reporting, the 
Board considered the potential that public reporting of such 
information could create vulnerabilities for the audit firm (e.g., 
reporting would provide information that bad actors could leverage 
against the audit firm) in addition to the potentially developing 
nature of such incidents at the time of reporting. While the Board 
believes that cybersecurity incident information could be reported in a 
summary fashion that both protects the audit firm and informs the 
public, the Board thinks it may better facilitate timely reporting of 
such information if firms are not required to expend the resources and 
time necessary to consider the implications of public reporting of 
cybersecurity incident information and carefully scope it in deference 
to public reporting. In addition, the Board notes that there are state 
and consumer laws and regulations that require notification to 
individuals in cases of compromised data.
    Finally, in certain limited circumstances, some of the financial 
information included in financial statements may be subject to laws 
relating to the confidentiality of proprietary, personal, or other 
information, or might reasonably be identified by a firm as 
proprietary, and there the Board would need to honor a firm's properly 
substantiated request for confidential treatment of such information. 
The Board does not believe the public interest would be served by 
incomplete, piecemeal reporting of a firm's financial information.
    Some commenters recommended that the Board expand the scope of 
publicly reported information by making audit firm financial statements 
public. Some commenters encouraged the PCAOB to maintain 
confidentiality in perpetuity for items collected under this new 
disclosure regime (i.e., financial statements, cybersecurity incidents, 
and certain special reporting events). A commenter requested that the 
PCAOB clarify explicitly whether these new reporting items would remain 
confidential. One urged the Board to provide more detail on 
confidentiality protections over these enhanced areas of reporting. 
Another suggested that the expanded fee information, cybersecurity 
related policies and procedures, and certain firm governance and global

[[Page 96724]]

network information should also receive confidential treatment. One 
commenter asked that smaller firms receive an option to request 
confidential treatment due to the disproportionate costs they face.
    As explained in the proposal, the Board sought to achieve a balance 
between protecting potentially proprietary, sensitive, and developing 
information that could reveal firm vulnerabilities, on the one hand, 
and serving the public interest in transparency on the other. The Board 
still believes it strikes an appropriate balance to require that the 
financial statement, material event, and cybersecurity incident 
reporting requirements be confidential, while requiring other reporting 
areas to be public. The Board believes that much of the information 
required to be publicly disclosed is of the type that is already 
publicly available in some format, i.e., the type of fee, governance, 
and network information that the Board requires is of the type that 
some firms already report in voluntary transparency reports or on their 
websites. Moreover, in cases where such information is not currently in 
the public domain, the nature of the applicable disclosure requirement 
is sufficiently general and principles-based that it should not expose 
a firm to significant vulnerabilities or the disclosure of proprietary 
information. And the Board has further modified the final amendments to 
mitigate the possibility of the disclosure of proprietary information 
or personal data in the public reporting requirements, as discussed 
above. At the same time, the Board continues to believe that the 
potentially proprietary, sensitive and developing nature of certain 
information militates in favor of confidential reporting, and that 
confidential reporting would promote more candid reporting that would 
better serve the PCAOB's regulatory oversight objectives.
    In addition, the Board clarifies that it does not intend to make 
public the information that would be reported confidentially under the 
final amendments. Discussion in the proposal of information that may be 
made public in the future was limited to two scenarios. First, the 
proposal stated that the Board intended to analyze reported information 
to determine if further information should be made public pursuant to a 
later rulemaking. In other words, the Board may in the future require 
additional public reporting, but such reporting would be required 
pursuant to a further rulemaking initiative. The Board does not intend 
to retroactively make public information submitted under the final 
amendments. Second, the Board may consider making certain reported 
information public in an anonymized and aggregated fashion that would 
not compromise the confidential nature of any individual firm's 
disclosure. This is consistent with the Board's current practice in, 
for example, staff publications \72\ and is consistent with the Board's 
obligations under Sarbanes-Oxley to protect certain categories of 
information. Neither discussion was intended to convey that the Board 
intended to make public any information submitted by an individual firm 
on a non-public basis pursuant to the final amendments.
---------------------------------------------------------------------------

    \72\ See PCAOB, Staff Publications, available at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------

Confidential Status of Reported Information
    Some commenters suggested that any information required by the 
proposal should be submitted by firms to the PCAOB only through the 
inspections process so that the information acquired the protections of 
Section 105(b)(5) of Sarbanes-Oxley. One commenter expressed that it is 
unclear whether confidentiality protections under Section 102 of the 
Sarbanes-Oxley Act would provide the same level of assurance of 
confidentiality protection as that provided by Section 105(b)(5). This 
commenter discussed that it would be unclear how the Board interprets 
its duties under the Sarbanes-Oxley in scenarios where the PCAOB 
receives requests for confidential information from third parties not 
covered by Section 105(b)(5) and where the PCAOB makes information 
reported under the proposal available to other agencies. Another 
similarly stated that any information the Board is seeking for its own 
use in overseeing registered firms through confidential submissions 
should continue to be collected pursuant to the PCAOB's inspection 
process. A commenter also asserted that the PCAOB should clarify that 
Section 105(b)(5) applies to any information or data reported to the 
PCAOB on a confidential basis.
    Under Sarbanes-Oxley Section 102(e), the information provided under 
this section ``shall be made available for public inspection, subject 
to rules of the Board or the Commission, and to applicable laws 
relating to the confidentiality of proprietary, personal, or other 
information contained in such applications or reports, provided that, 
in all events, the Board shall protect from public disclosure 
information reasonably identified by the subject accounting firm as 
proprietary information.''
    In addition, under Section 105(b)(5) of Sarbanes-Oxley, 
``information prepared or received by or specifically for the Board, 
and deliberations of the Board and its employees and agents, in 
connection with an inspection under section 104 or with an 
investigation under Section 105, shall be confidential and privileged 
as an evidentiary matter'' subject to certain limitations and 
exceptions.
    The Board has relied principally on Section 102, rather than 
Sections 104 or 105, to require reporting of the information to be 
provided under the final amendments, but has set forth in the final 
amendments that certain categories of information shall be 
confidential. In general, as described above, the Board does not intend 
to make public the information reported confidentially by an individual 
firm under the final amendments.\73\
---------------------------------------------------------------------------

    \73\ This is subject to the enumerated exceptions in Section 105 
related to sharing with, among other entities, the SEC.
---------------------------------------------------------------------------

    The Board notes that it is the intended purpose of the final 
amendments that the information be used in connection with inspections 
authorized under Section 104 as detailed below.\74\ In particular, the 
Board currently collects financial statements for certain large firms 
as part of its inspection process as noted in the proposal. The 
financial statement reporting requirement included in the final 
amendments is intended to improve the standardization and consistency 
of the provision financial statements, specifically with reference to 
(though not expressly limited to) their use by the inspection staff in 
the course of annual inspections of those firms. In this regard, the 
Board believes that the information collected on a confidential basis 
under the final amendments to inform the PCAOB's oversight of firms, 
particularly financial statements collected to inform inspections, may 
be subject to the privileges afforded information received by the Board 
in connection with an inspection under Section 104.\75\ To make more 
apparent the Board's intention in this regard, the Board has moved the 
rule mandating the reporting of financial statements to Section 4: 
Inspections in the Board's rules and renumbering accordingly. The Board 
believes this renumbering is more

[[Page 96725]]

consistent with the current and intended inspection use of financial 
statements.
---------------------------------------------------------------------------

    \74\ This does not foreclose other uses.
    \75\ Subject to certain exceptions, documents and information 
prepared or received by or specifically for the Board, in connection 
with an inspection under Section 104 of Sarbanes-Oxley, shall be 
confidential and privileged as an evidentiary matter under Section 
105(b)(5) of Sarbanes-Oxley.
---------------------------------------------------------------------------

    With respect to confidentially reported information, the Board 
notes there are compelling reasons to resist any publication or sharing 
of this information as discussed throughout the release. For example, 
material event reporting may implicate information that is sensitive 
and/or proprietary and, in certain instances, protected from disclosure 
under Sarbanes-Oxley. Cybersecurity incident reporting may implicate 
information that could give rise to security issues for registered 
firms or otherwise compromise sensitive aspects of a firm's operations.
    Finally, the Board observes that, with respect to information 
reported confidentially, the Board has historically provided firms an 
opportunity to request notification in the event that the Board is 
requested by subpoena or other legal process to disclose such reported 
information.\76\ The Board believes that such a provision is 
appropriate with respect to the confidentially reported financial 
statements, material events, and cybersecurity incidents and are 
modifying Forms 2 and 3 to provide firms this option.
---------------------------------------------------------------------------

    \76\ See, e.g., Form 1-WD, General Instruction 5 (``Pursuant to 
Rule 2107, any Form 1-WD filed with the Board shall be non-public. A 
registered public accounting firm may submit with Form 1-WD a 
request for Board notification in the event that the Board is 
requested by subpoena or other legal process to disclose the Form 1-
WD. The Board will make reasonable attempts to honor any such 
request, although the Board will make public the fact that the firm 
has requested to withdraw from registration.'').
---------------------------------------------------------------------------

3. Assertion of Conflicts of Laws
    The Board acknowledges that there may be certain limitations with 
respect to the data or information about a firm and its personnel that 
a firm may communicate publicly because public dissemination of it may 
conflict with a non-U.S. law. In considering whether to allow the 
opportunity to assert conflicts, the Board has considered both whether 
it is realistically foreseeable that any law would prohibit providing 
the required information and, even if it were realistically 
foreseeable, whether allowing a firm preliminarily to withhold the 
information is consistent with the Board's broader responsibilities and 
the particular regulatory objective.\77\ In addition, even where the 
Board has allowed registered firms to assert legal conflicts in 
connection with other forms, that accommodation does not entail a right 
for a firm to continue to withhold the information if it is 
``sufficiently important.'' \78\
---------------------------------------------------------------------------

    \77\ See PCAOB Rel No. 2015-008, at 37.
    \78\ See, e.g., PCAOB Release No. 2008-004, at 37-38 n.37.
---------------------------------------------------------------------------

    At the time it implemented Form 2, the Board extended an 
accommodation to registered non-U.S. firms by permitting them to 
request confidential treatment of information provided in response to 
Form 2, Item 3.2 (Fees Billed to Issuer Audit Clients).\79\ The staff's 
experience of reporting in response to that item has suggested that 
such an accommodation is not necessary. The Board has not granted a 
request for confidential treatment for information reported under this 
item, and it is not aware of any law that prohibits providing the fee 
information that is currently required or the fee information that the 
Board proposed to require. The Board notes that audit firm fee 
information is routinely reported under various international 
transparency directives, as well as pursuant to SEC issuer reporting 
requirements. Accordingly, the Board proposed to revise the 
instructions to Form 2 to delete the language permitting foreign 
registered firms to seek confidential treatment of information provided 
in response to Form 2, Item 3.2.
---------------------------------------------------------------------------

    \79\ For a firm to request confidential treatment, PCAOB Rule 
2300, Public Availability of Information Submitted to the Board; 
Confidential Treatment Requests, at (c)(2) requires both a 
representation that the information has not otherwise been publicly 
disclosed and either (1) a detailed explanation of the grounds on 
which the information is considered proprietary, or (2) a detailed 
explanation of the basis for asserting that the information is 
protected by law from public disclosure and a copy of the specific 
provision of law.
---------------------------------------------------------------------------

    With respect to the remaining information the Board proposed to 
require (with the limited exceptions of certain QC roles identified 
below), based on the Board's experience in this area, the Board did not 
foresee a realistic possibility that any law would prohibit a firm from 
providing the information. As noted above, in general, the Board 
believes that the information to be publicly reported is of the type 
that is already made public in some form by audit firms, including in 
existing transparency reporting, or is otherwise publicly available. 
The Board has also designed the reporting requirements with a view to 
avoiding personal identifying or client-specific information of the 
sort that could be protected by law.\80\
---------------------------------------------------------------------------

    \80\ The Board acknowledges certain requirements call for the 
names and titles of those in audit firm leadership positions. 
However, the Board believes the reporting requirements call for 
information regarding individuals in sufficiently senior positions 
that such information should already be public, with the limited 
exceptions of certain QC roles discussed below assertions of 
conflicts will be permitted for non-U.S. firms.
---------------------------------------------------------------------------

    Several commenters urged the PCAOB to retain the existing 
confidentiality treatment provision in Form 2 and extend such provision 
to cover the proposed disclosure items in order to allow non-U.S. firms 
to request confidential treatment where a required disclosure by a firm 
would be in conflict with applicable local laws/regulations. Commenters 
clarified that allowing such requests would protect against future 
conflicts of law that might develop. One commenter stated that they 
understood from non-U.S. firms that some of the proposed new required 
disclosures go beyond what non-U.S. regulators require and may lead to 
violations of local laws resulting from disclosure of information that 
non-U.S. auditors are required to keep confidential.
    As an initial matter, after considering the comments, the Board has 
decided to maintain its decision to eliminate the instructions to Form 
2 with the language permitting foreign registered firms to seek 
confidential treatment of information provided in response to Form 2, 
Item 3.2. Commenters have not brought to the Board's attention specific 
laws that would prohibit disclosure of this item, including in its 
amended form requiring fee amounts. The Board received general comments 
on fee amounts, as opposed to proportions, implicating proprietary 
information. However, the Board notes the fee information would be 
reported on an aggregated basis. Even if a firm has limited clients or 
a single issuer client, it is not clear how that would implicate 
information that would be prohibited from disclosure by law, especially 
in light of the public reporting of such information under SEC rules.
    With respect to personal data, as discussed below, the Board has 
limited requirements to only the more senior roles that it believes are 
most likely to be public. With respect to certain individual names that 
may be less senior or less likely to be otherwise publicly disclosed 
(QC operational and oversight roles), the Board further is permitting 
non-U.S. firms to assert conflicts. Commenters did not identify other 
categories of personal data that could not be disclosed under foreign 
law. In general, the comments the Board received on this issue did not 
identify specific provisions of laws, or existing rulemaking efforts, 
that would create conflicts between those laws and specific proposed 
metrics. The conflicts purportedly identified were instead general or 
speculative in nature.

[[Page 96726]]

Moreover, the Board believes the changes it has made to narrow the 
roles reported, and the determination to permit assertions of conflicts 
by non-U.S. firms for less senior roles, mitigate the potential for any 
conflicts. Accordingly, the Board does not believe it is realistically 
foreseeable that a law would prohibit the required additional 
reporting. As such, the Board has not permitted assertions of conflicts 
in the final amendments, with one exception, namely the QC oversight 
and operational roles.
Discussion of the Reporting Updates
    The Board has adopted amendments to Forms 2 and 3 to impose new 
reporting requirements, and to implement a new form for firms to update 
their ``Statement of Applicant's Quality Control Policies'' reported on 
Form 1 \81\ on a one-time basis. This section discusses the specific 
amendments.
---------------------------------------------------------------------------

    \81\ The Statement of Applicant's Quality Control Policies is 
currently reported on Form 1.
---------------------------------------------------------------------------

Financial Information
1. Fee Information
    The Annual Report Form currently requires firms to report the 
percentages of total fees that were billed to issuer clients for audit 
services, other accounting services, tax services, and non-audit 
services relative to the total fees billed for the period.\82\ When the 
Board originally conceived this requirement, it intended for it to 
provide ``a picture of how the firm's services for issuer audit clients 
compare generally with the firm's services for other clients, and . . . 
also [to] provide a picture of the allocation of services the firm 
provided to issuer audit clients.'' \83\ The Board continues to believe 
that such information is useful to investors and audit committees in 
understanding a firm's audit practice, individually and relative to 
other services provided. In the proposal, the Board explained that it 
believed requiring reporting in actual dollar amounts, rather than 
percentages, and providing more complete and further disaggregated fee 
information, would increase the benefit of this reporting requirement.
---------------------------------------------------------------------------

    \82\ See Form 2, Item 3.2.
    \83\ See PCAOB Release No. 2006-004, at 4. With respect to the 
PCAOB's regulatory authority to impose requirements to disclose non-
audit related fees, Sarbanes Oxley Section 102(d) gives the PCAOB 
authority to require ``additional information as the Board or 
Commission may specify, in accordance with subsection (b)(2).'' 
Section 102(b)(2)(H), in turn, specifies that such information can 
be necessary or appropriate in the public interest or for the 
protection of investors. Here, obtaining additional data on non-
audit services allows Form 2 user to better assess how the firm's 
audit practice compares to other parts of its business. This is 
consistent with the PCAOB's original rationale for collecting 
information for fees from non-audit services.
---------------------------------------------------------------------------

    Accordingly, the Board proposed to amend Form 2, Item 3.2 to 
require enhanced information regarding a firm's audit fees. 
Specifically, the Board proposed to require firms to report:
     Fees for audit services, in total and from
     issuers;
     broker-dealers;
     and other companies under audit (delineating sources, 
e.g., fees from private company audits and custody rule audits); \84\
---------------------------------------------------------------------------

    \84\ PCAOB Rule 1001, Definitions of Terms Employed in Rules, at 
(a)(vii) defines ``audit services'' as follows:
    With respect to issuers, the term ``audit services'' means 
professional services rendered for the audit of an issuer's annual 
financial statements, and (if applicable) for the reviews of an 
issuer's financial statements included in the issuer's quarterly 
reports or services that are normally provided by the accountant in 
connection with statutory and regulatory filings or engagements for 
those fiscal years; With respect to brokers and dealers, the term 
``audit services'' means professional services rendered for the 
audit of a broker's or dealer's annual financial statements, 
supporting schedules, supplemental reports, and for the report on 
either a broker's or dealer's compliance report or exemption report, 
as described in Rule 17a-5(g) under the Exchange Act.
---------------------------------------------------------------------------

     Fees from other accounting services; \85\
---------------------------------------------------------------------------

    \85\ PCAOB Rule 1001(o)(i) defines ``other accounting services'' 
as assurance and related services that are reasonably related to the 
performance of the audit or review of the client's financial 
statements, other than audit services.
---------------------------------------------------------------------------

     Fees from tax services; \86\ and
---------------------------------------------------------------------------

    \86\ PCAOB Rule 1001(t)(i) defines ``tax services'' as 
professional services rendered for tax compliance, tax advice, and 
tax planning.
---------------------------------------------------------------------------

     Fees from non-audit services.\87\
---------------------------------------------------------------------------

    \87\ PCAOB Rule 1001(n)(ii) defines ``non-audit services'' as 
all services other than audit services, other accounting services, 
and tax services.
---------------------------------------------------------------------------

    The proposal, in contrast to the current Form 2 requirement, would 
have required reporting of fees billed in these categories from all 
clients rather than from issuer audit clients.
    Some commenters generally supported the proposed enhanced fee 
requirements, with one commenter noting that the allocation of fees 
between issuers, broker-dealers, and non-PCAOB clients may be useful to 
investors and audit committees in assessing the qualifications of 
potential audit firms. One commenter noted that the disaggregation of 
fees between issuer and broker-dealer audit clients may provide 
relevant information about the nature of the firm's activities and 
expressed support for disclosure that enabled comparison of a firm's 
issuer audit practice as compared to its other practice.
    Some commenters expressed concerns about the usefulness of proposed 
enhanced fee reporting, including skepticism that reporting in actual 
fee amounts would provide greater insight than fee information reported 
in percentages, noting the proposed fee categories deviate from fee 
disclosures required in SEC proxy statements and suggesting the fee 
information in existing Form 2 requirements and proxy statements 
provides adequate insight into audit fees. One commenter suggested that 
retaining percentage-based disclosure would allow stakeholders to 
remain focused on meaningful metrics. One commenter stated the proposed 
fee disclosure was tantamount to detailed segment disclosure of revenue 
across service lines and suggested the proposed requirement conflicts 
with the Board's proposed confidential approach to reporting financial 
statements. Some commenters questioned whether any inferences regarding 
audit quality could be drawn from the proposed fee disclosures and one 
suggested fee disclosures, if any, should be limited to fees for 
services to issuers and broker-dealers and fees provided to other 
clients. Some commenters also questioned whether the proposed fee 
disclosures would increase comparability, noting the differences of 
size and structures of firms.
    Other commenters stated that reporting fees at the proposed level 
of granularity would represent substantial costs for firms, with one 
commenter particularly highlighting difficulties of reconciling timing 
and allocation of private company audit fees. That commenter also 
stated that the level of precision the proposal would require is 
inconsistent with the PCAOB's original rationale for fee reporting and 
suggested more research before implementing the proposed requirement. 
Another commenter stated that reporting fees at the proposed level of 
specificity would require transformation of finance systems for many 
firms, stating that the proposal would eliminate a reliable existing 
source of fee data in SEC disclosures, remove the current Form 2 
provision that allows for estimates, and require special tracking fees 
for the new PCAOB fee categories. Another commenter stated that, 
because its issuer audit practice is small, the costs of fee disclosure 
would be disproportionate to the number of audits impacted. One 
commenter suggested that, if the Board proceeds with the fee proposal, 
it should be modified to allow estimates, allow use of data already 
required to be provided in SEC filings, allow for reporting based on 
client or firm fiscal year end, and allow firms to

[[Page 96727]]

explain calculation methodology on Form 2. One commenter suggested, as 
an alternative, that the Board consider better defining reporting 
requirements to improve comparability and research further the 
implications of disclosure at the proposal's level of granularity.
    Some commenters questioned whether the proposed disclosure of fees 
regarding non-PCAOB audits were within the PCAOB's remit or opposed the 
level of disaggregation of the audit fees for non-PCAOB audits. Some 
commenters suggested that the proposed disclosure of fees related to 
non-PCAOB audits was in tension with the clarification and distinction 
between services subject to and not subject to PCAOB oversight 
discussed in proposed Rule 2400, Proposals Regarding False or 
Misleading Statements Concerning PCAOB Registration and Oversight and 
Constructive Requests to Withdraw from Registration or could cause 
confusion about the scope of the Board's oversight that could lead to a 
false sense of confidence in non-PCAOB aspects of a firm's operations. 
Other commenters suggested the proposal steps into the regulation of 
non-PCAOB audits.
    In addition, commenters asked for clarification regarding the shift 
from requiring disclosure of fees billed to issuers to fees billed to 
all clients. Finally, some commenters asked for a materiality or de 
minimis threshold for fee disclosures. One commenter stated that, under 
current Form 2 reporting requirements, it would take a material 
difference in fees to shift the percentage that is reported.
    The Board also solicited comments on whether it should consider 
changing the Form 2 reporting period, including to align with Form FM, 
which commenters opposed.
    The Board has adopted enhanced fee disclosure requirements with 
modifications. The Board continue to believe that requiring disclosure 
of actual fee amounts, rather than percentages, will increase the 
usefulness of fee reporting. For example, disclosing actual fee amounts 
of issuer audit fees will permit stakeholders to ascertain the size of 
a firm's audit practice, isolate firms of similar size, and compare fee 
information across a subset of similarly sized firms. In addition, the 
Board continues to believe that, despite the availability of issuer-
level fee data in SEC filings, it is beneficial to provide aggregated 
data to stakeholders, particularly investors, for whom it would 
represent a significant cost to compile similar information from SEC 
filings.
    In consideration of comments, the Board has eliminated the proposed 
requirement to provide disaggregated data for audit services billed to 
non-issuer and non-broker-dealer clients (i.e., to non-PCAOB clients). 
In addition, the Board has eliminated the requirement to report fees 
billed to all clients for each of the four fee categories. While the 
Board continues to believe that it is both within the PCAOB's statutory 
authority, and an appropriate exercise of that authority, to require 
reporting of information regarding an audit firm's operations that may 
bear on its audit practice, the Board is mindful of comments regarding 
the costs and ambiguities of disclosing at the proposed level of 
granularity.
    Accordingly, the modified amendment will require firms to report 
the amount of fees billed to issuer audit clients for audit services, 
other accounting services, tax services, and non-audit services during 
the reporting period. These amounts represent the numerator for the 
proportion that must currently be calculated in order to report the 
percentages currently required on Form 2. In other words, this 
amendment should not require any additional tracking or calculation by 
firms. In addition, the modified requirement would require firms to 
report the total fees billed by the firm to all clients for services 
rendered during the reporting period. This amount represents the 
denominator for the proportion that must currently be calculated in 
order to report the percentages currently required on Form 2. 
Therefore, again, this amendment should not require any additional 
tracking or calculation by firms. Finally, the modified requirement 
will require firms to report fees billed to broker-dealer audit clients 
during the reporting period. The Board agrees with commenters that 
supported this element of the proposal and continues to think it is 
appropriate to provide some insight into the broker-dealer practice in 
relation to the firm's other practices.
    Further, in a change from the proposal, for fees billed to issuer 
audit clients, the modified requirement will retain Form 2's existing 
provision permitting a firm to identify whether it is reporting amounts 
for the Form 2 reporting period or fee amounts disclosed to the 
Commission by those clients for each client's fiscal year. It will 
further retain Form 2's existing provision allowing firms to indicate 
if they have used a reasonable method to estimate amounts and to 
describe its reasons for doing so. It will not retain the Form's 
current rounding provision as that provision refers to rounding 
reported percentages to the nearest five percent and would be 
inapplicable to reported amounts. Instead, it will substitute language 
permitting rounding to the nearest dollar amount.
    The Board believes these changes will ease implementation and costs 
associated with enhanced fee reporting while still providing the most 
useful proposed additional information to investors, audit committees, 
and other stakeholders, and better aligning the fee disclosure 
requirement on Form 2 with those required in other jurisdictions, such 
as the EU.\88\
---------------------------------------------------------------------------

    \88\ The changes will not accomplish perfect alignment with EU 
reporting categories but better align with that reporting regime 
while maintaining SEC fee reporting categories.
---------------------------------------------------------------------------

    As proposed, the Board has not adjusted the Form 2 reporting period 
to align with the Form FM reporting period or otherwise.
    Lastly, the Board has not adopted a materiality or de minimis 
threshold in connection with the obligation to amend forms to correct 
information that was incorrect at the time the report was filed or to 
provide information that was omitted from the report and was required 
to be provided at the time the report was filed. Historically, the 
Board has not established, and has not found necessary, materiality or 
de minimis thresholds in connection with form amendments. The Board 
believes that implementing a materiality or de minimis threshold would 
introduce unnecessary complexity and uncertainty to the form amendment 
process and, further, would potentially threaten, or be perceived to 
threaten, the accuracy and reliability of reported information, thereby 
undermining the intended purpose of the amendments. The Board notes 
that rounding and reasonable estimates are permitted in connection with 
fee reporting. There is no expectation that differences in reported 
amounts within the rounding threshold, or differences between actual 
and estimated amounts, would require amending the form to correct 
reported amounts.
2. Financial Statements
    In addition to enhanced fee information, the Board proposed to 
require that the largest firms provide financial statements to the 
PCAOB annually on a confidential basis. The Board proposed to define 
the largest firms as those that issued more than 200 reports for issuer 
audit clients and had more than 1,000 personnel during the relevant 
reporting period.\89\ The Board

[[Page 96728]]

proposed that such financial statements be reported in accordance with 
the applicable financial reporting framework in the firm's jurisdiction 
(i.e., either U.S. GAAP or IFRS, exclusively) \90\ but would not be 
required to be audited. The Board proposed to provide for an extended 
transition period of three years in connection with this requirement. 
For years 1 and 2, firms would have been permitted to provide financial 
statements that do not conform to the applicable financial reporting 
framework, provided that they (1) identify the information that is not 
readily available but is required to produce U.S. GAAP or IFRS 
statements, and (2) provide notes that would reconcile non-conforming 
financial statements to the applicable financial reporting framework. 
The Board proposed to require that the largest firms submit financial 
statements for the most recent fiscal year ended during the Annual 
Report Form reporting period. The Board did not propose to define a 
fiscal year for reporting firms.
---------------------------------------------------------------------------

    \89\ The number of firm personnel is currently reported in Item 
6.1 of Form 2 and information regarding audit reports for issuers is 
currently reported in Item 4.1 of Form 2. As of December 31, 2023, 
the registered firms that meet such criteria audit issuers that 
possess a combined market capitalization of $62.19 trillion, which 
represents 99.82% of the total market capitalization of all issuers 
audited by registered firms.
    \90\ The firms that would currently meet this threshold are U.S. 
firms; therefore, the applicable financial reporting framework would 
be U.S. GAAP.
---------------------------------------------------------------------------

    Further, the Board did not propose public reporting of financial 
statements. The Board did propose, however, to modify the Annual Report 
Form to include a checkbox for the largest firms to indicate they have 
submitted financial statements confidentially to the PCAOB.
    As discussed in more detail in the proposal, the Board believes 
requiring financial statements from the largest firms will enhance the 
PCAOB's oversight and monitoring of these firms and the audit market. 
This information will help the PCAOB better understand a registered 
firm's audit practice, the relationship of its audit practice to its 
overall business, and the overall financial stability of a firm. An 
assessment of audit firm resources will enable the Board to understand 
a firm's capacity to withstand risks associated with events such as a 
firm's break-up, court judgments against the firm, or threats to global 
networks or other affiliates that may require the firm's support. The 
financial statement information will inform the PCAOB's inspection 
function by providing a baseline understanding of a firm's operations, 
the resources devoted to its audit practice, and its focus and 
incentives. Further, financial information will inform overall economic 
and risk analysis, including as it relates to analysis performed to 
support standard-setting, inspections, and enforcement activities, and 
the Board's overall oversight.
    Finally, the Board explained in the proposal that requiring this 
information to be presented in accordance with an applicable financial 
reporting framework will increase the usefulness of this information to 
the PCAOB by facilitating analysis and comparison across firms and 
ensuring the information is presented completely and in an accessible 
manner.
General Comments
    Some commenters supported the proposed financial statement 
requirement generally, noting its consistency with the ACAP 
recommendation. These commenters also supported requiring financial 
statements to be public and audited, citing prior IAG discussions and 
the ACAP recommendation, and stating auditing firms in the UK have 
publicly issued annual reports containing audited financial statements 
for a dozen years. These commenters stated that investors would find 
aspects of audited financial statements and related footnotes useful 
when making proxy voting decisions or exercising oversight 
responsibilities over public company audit committees. They also stated 
that aspects of the independent auditor's report would provide useful 
information to investors when making proxy voting decisions or 
exercising oversight responsibility over public company audit 
committees.
    Some commenters opposed any auditing requirement. Others supported 
maintaining the confidentiality of financial statements, including 
suggesting that disclosure of confidential financial information could 
expose firms to competitive and other risks. One commenter suggested 
that public reporting of financial statements could mislead the public 
into believing that all areas of the audit firm's business are subject 
to PCAOB oversight.
    Others opposed the financial statement requirement generally and 
raised questions regarding the value of the reported information to the 
PCAOB, including stating that the proposal does not identify specific 
actions the Board would take, or could take within its authority, if it 
identified solvency-related information and asking for more clarity on 
how the Board would use the information, questioning how the 
information would improve audit quality and safeguard investors, and 
noting that the PCAOB has access to financial statement information 
through the inspection process. One commenter stated that there would 
be few firms that would qualify for the financial statement requirement 
and they would be submitted confidentially; therefore usefulness and 
benefits of the data would be limited but still involve tremendous 
cost. Some commenters questioned whether the requirement is within the 
Board's authority, with one specifically noting the requirement to 
delineate financial statements by service line and stating the proposal 
is in conflict with the Board's Rule 2400 proposal.
    The Board has adopted the proposed financial statement reporting 
requirement with modifications. For the reasons noted in the proposal, 
the Board continues to believe that requiring the largest firms to 
report financial statements to the PCAOB annually will enhance PCAOB 
oversight of these firms. As commenters observed, the PCAOB can 
collect, and at times (including at present) has collected, financial 
statements from larger firms through its inspection function. However, 
the financial statements have not been provided in a consistent and 
readily comparable form when collected in the inspections context. The 
Board continues to believe that financial statements are useful in the 
inspection context to broadly understand the firm's business and 
allocation of resources, and further believes that the utility will be 
enhanced by the increased standardization and consistency that will 
result from formalizing the collection of financial statements through 
a reporting requirement. For example, more standardized reporting of 
financial information will better enable the Board to understand the 
allocation of resources to a firm's audit practice, including changes 
in resources available from year to year. As another example, reliable 
year-over-year collection of financial statements will increase their 
usefulness in producing research to inform standard-setting and 
rulemaking. In addition, having more standardized financial statements 
on hand will assist the Board in understanding a firm's ability to 
withstand potential solvency threatening events reported under other 
provisions of the final rules.
    The Board agrees with commenters that confidential collection of 
financial statements is appropriate at this time. The Board 
acknowledges investor comments that aspects of financial statements may 
be useful to them in exercising voting and oversight responsibilities 
but, at present, continues to believe it does not have sufficient 
information regarding what

[[Page 96729]]

specific elements of financial statements, or how financial statements 
as a whole, would serve the public (in contrast to regulatory use of 
such information, which has been demonstrated in the inspections 
context). Moreover, in certain limited circumstances, elements of 
financial statements may constitute proprietary information. 
Accordingly, the Board has adopted the requirement that financial 
statements be reported confidentially, as proposed. The Board has added 
an instruction to Form 2 to clarify that financial statements shall be 
submitted confidentially. Given the confidential nature of the 
reporting, the Board continues to think an auditing requirement would 
have less utility (as compared to requiring auditing for publicly 
reported financial statements), as the Board is well-positioned to 
understand any limitations that a lack of reasonable assurance implies. 
Moreover, the reported information would be subject to the 
certification contained in Form 2 that it does not contain any untrue 
statement of a material fact.\91\
---------------------------------------------------------------------------

    \91\ See Form 2, Part X.
---------------------------------------------------------------------------

    Lastly, the commenters generally agreed with the proposal not to 
define a firm's fiscal year for purposes of the financial statement 
requirement. As proposed and consistent with comments received, the 
Board has not defined a fiscal year in connection with this 
requirement.
Comments on GAAP/IFRS
    Some commenters supported the proposal to require financial 
statements to be reported in accordance with an applicable financial 
reporting framework, i.e., GAAP or IFRS. Other commenters opposed the 
GAAP requirement, or expressed concerns, stating that it should not be 
necessary to achieve the Board's objectives, and the Board does not 
have a regulatory need for comparability, and questioned how the 
information would be useful to the Board. Others stated that 
comparability would be hindered including due to differences in firm 
structures. Some commenters stated that any additional information 
should be collected through the inspection process which would permit 
dialogue or follow-up requests.
    Some commenters noted that most firms do not prepare GAAP financial 
statements. Commenters also noted in connection with this requirement 
that firm business models and structures vary, reporting per an 
applicable financial reporting framework would not serve a business 
purpose for the firm, and firms would incur significant costs to 
prepare GAAP financial statements, with one commenter noting smaller 
firms would find the requirement particularly burdensome. One commenter 
stated that GAAP financial statements may require consolidation of 
subsidiaries, which could include international businesses and other 
service lines, which may include more information than intended by the 
proposed requirement. Another commenter stated that firms as privately 
held entities should have flexibility to provide financial statements 
in the form used by firm management. One commenter stated that its 
audit practice is a small part of its overall business and therefore 
its financial statements would predominantly not relate to its audit 
practice.
    A commenter noted that the proposed reporting by business line will 
create additional cost. Another commenter noted the need to clarify the 
delineation of statements by business line, noting that GAAP may or may 
not require such a delineation. Other commenters stated that to 
reconcile non-conforming financial statements to the applicable 
financial reporting framework during the proposed transition period 
would essentially require firms to do GAAP during that period.
    The Board has not adopted the requirement to report financial 
statements in accordance with an applicable financial reporting 
framework. As discussed in greater detail in Section D, the Board 
understands that preparing financial statements in accordance with GAAP 
will entail costs and that firms do not necessarily have a business 
purpose for the preparation of such financial statements. However, the 
Board continues to believe that standardizing to some degree the form 
in which financial statements are reported will enhance the Board's 
oversight, both with respect to the current use of financial statements 
in the inspections context and for broader regulatory purposes that 
more standardized reporting may enable, including to inform policy 
research. However, the Board is persuaded that it can achieve a useful 
degree of standardization without mandating reporting in conformity 
with GAAP. Accordingly, the Board has adopted the rule without language 
requiring reporting in conformity with an applicable financial 
reporting framework.
    The Board has retained the requirement that reported financial 
statements should include a balance sheet, income statement, cash flow 
statement, and notes to the financial statements for the entity 
registered with the Board. The Board believes it is useful to set forth 
the basic components that should be included in the financial 
statements for clarity. The Board has also retained the requirement 
that financial statements should delineate by service line (i.e., audit 
services, other accounting services, tax services, and non-audit 
services).\92\ This delineation is consistent with the Board's 
historical rationale for requiring fees to be reported for these 
categories, namely to understand the audit practice in context with the 
firm's other lines of business. However, the Board has specified that 
the delineation by service line should include, at a minimum, 
delineation by service line of revenue and operating income. With 
respect to revenue, given the current Form 2 requirements for fee 
reporting with respect to these four service lines, and based on the 
staff's oversight experience, the Board believes firms should already 
be delineating fees in this manner. Narrowing this requirement to 
revenue and operating income--instead of leaving the requirement 
broadly applicable to all aspects of the financial statements or as 
compared to GAAP segment reporting--should clarify the requirement and 
ease implementation costs.
---------------------------------------------------------------------------

    \92\ The proposed rule indicated that financial statements 
should delineate by service line (i.e., audit services, other 
accounting services, tax services, and non-audit services subject to 
PCAOB oversight). The Board has clarified in the final amendments 
that it means audit services, other accounting services, tax 
services, and non-audit services as those terms are defined in the 
Board's rules.
---------------------------------------------------------------------------

    To achieve a further degree of standardization and, in turn, help 
ensure the financial statements improve PCAOB oversight, the Board has 
added language to require that financial statements should be prepared 
on an accrual basis. Additionally, the Board has included language to 
require reporting of significant ownership interests, private equity 
investments, unfunded pension liabilities, and related party 
transactions, including those with other members of a global 
network.\93\ The Board believes specifying accrual basis of accounting 
(1) should help ensure that the staff has access to audit firm 
financial information that may impact the audit practice (e.g., accrued 
compensation and benefits, post-retirement medical benefits, 
distributions to former partners, accounts payable, long-term debt and 
notes payable, reserves for claims, taxes, advance payments from 
clients, lease obligations, related party obligations, and other 
expenses

[[Page 96730]]

incurred); and (2) is generally consistent with current practice at 
larger firms and should represent a lesser cost to firms than GAAP/IFRS 
reporting would have entailed.\94\ Narrowly specifying certain 
additional information will help ensure the staff obtains prioritized 
information without imposing the costs of GAAP/IFRS reporting.\95\
---------------------------------------------------------------------------

    \93\ The Board notes that it is declining at this time to 
promulgate a more comprehensive framework for financial reporting by 
audit firms in favor of these minimum specifications.
    \94\ The Board notes that GAAP/IFRS financial statements are 
accrual basis and the comments on that aspect of the proposal did 
not specify that accrual basis in particular would be problematic or 
costly. Indeed, a commenter stated that financial statements 
prepared on a non-GAAP or modified GAAP basis using accrual 
accounting reflect the way firms run their businesses and are 
therefore more appropriate and useful for the PCAOB.
    \95\ The Board believes the additional specified information is 
of the type that would be called for by GAAP. See, e.g., ASC 810 and 
ASC 850.
---------------------------------------------------------------------------

    The Board believes these modifications balance the need for some 
degree of standardization in order to improve staff oversight with the 
costs to firms that conformity to GAAP/IFRS would have entailed.
    In further consideration of comments regarding costs, the Board 
continues to believe it is appropriate to confine this requirement to 
the largest audit firms, which are better able to bear costs. 
Accordingly, the Board has adopted the large firm threshold 
substantially as proposed. The Board has modified the language 
codifying the threshold to clarify that it depends on the number of 
issuers for which a firm has issued audit reports, i.e., the 
requirement applies to a registered public accounting firm that issued 
audit reports for more than 200 issuers and had more than 1,000 
personnel during the preceding Form 2 reporting period, rather than a 
firm that has issued more than 200 audit reports. This better aligns 
with information reported on Form 2.
    Because the Board has not adopted the GAAP/IFRS requirement (and 
therefore are not adopting segment reporting requirements or interim 
requirements to reconcile non-conforming information) the Board has not 
further addressed comments regarding tension between GAAP segment 
reporting and reporting by service line, or comments regarding the 
requirement to reconcile non-conforming information during the 
transition period.
Comments on Authority
    Some commenters suggested that requiring GAAP financial statements 
exceeded the PCAOB's authority. Specifically, for example, a commenter 
stated that it questioned the authority and rationale behind requiring 
firms to change their basis of financial reporting when many use (and 
may be required to use, pursuant to partnership agreements or other 
obligations such as bank covenants and related arrangements) another 
framework to manage and report on their business operations. The Board 
thinks comments of this nature are mooted to a significant degree by 
removing the requirement to report in conformity with an applicable 
financial reporting framework. In addition to the above-referenced 
general response regarding authority for these reporting requirements, 
the Board notes that it is not purporting to dictate anything regarding 
the financial reporting that a firm engages in for business and other 
purposes. The exclusive purpose of the reporting requirement is to set 
forth some minimum requirements for reporting to the PCAOB that will 
enhance the PCAOB's oversight as it relates to the firm's conduct of 
audits and the Board's objective of understanding the firm's audit 
practice in relation to the conduct of its overall business.
Governance Information
    The Annual Report Form currently requires firms to identify the 
legal name of the firm, contact information for the firm, and a primary 
contact person for the Board. In recent years, regulatory requirements, 
investor demands, and market practices have come to reflect a consensus 
around the importance of governance information to investors and audit 
committees. For example, IOSCO, after extensive study and outreach, 
published a guidance document for audit firm transparency reporting in 
which it specified including a description of the firm's legal, 
ownership, and governance structure.\96\ One disclosure guide for 
transparency and audit quality reporting notes the direct relationship 
between firm leadership and governance on the one hand, and audit 
quality on the other, identifying governance and leadership as a 
component of audit quality.\97\ Transparency regulations in other 
jurisdictions require firms to publish certain governance 
information.\98\ The prevalence of such information in mandatory and 
voluntary transparency frameworks reflects its fundamental importance 
to understanding and assessing an audit firm and its ability to deliver 
audit services. Importantly, however, voluntary transparency reports 
have not resolved the present opacity with respect to audit firm 
structure, governance, and operations. The Board believes it can 
mitigate the lack of transparency through enhanced governance reporting 
requirements, which will also increase standardization of the 
information available.
---------------------------------------------------------------------------

    \96\ IOSCO, Transparency of Firms.
    \97\ CAQ, Audit Quality Disclosure Framework (June 2023), at 8.
    \98\ See, e.g., Regulation (EU) No 537/2014 at Article 13.
---------------------------------------------------------------------------

    Accordingly, the Board proposed to amend Form 2 to create new Item 
1.4 to identify the following enhanced governance-related information, 
as rendered in the proposing release:
     the principal executive officer and all direct reports to 
that officer, including names and titles; \99\
---------------------------------------------------------------------------

    \99\ Direct reports to the principal executive officer should 
not be understood to include administrative staff.
---------------------------------------------------------------------------

     the individuals who are responsible for various components 
of the QC system (outlined in QC 1000, A Firm's System of Quality 
Control), including the individual(s) with ultimate accountability for 
the QC system as a whole;
     whether the firm has a governing board or management 
committees to which the principal executive officer reports and, if so, 
the identity of the members of that board or committee;
     the executive officer(s) who oversee(s) the firm's audit 
practice;
     whether the firm has an external oversight function for 
the audit practice composed of one or more persons who are not a 
partner, shareholder, member, other principal, or employee of the firm 
and does not otherwise have a commercial, familial, or other 
relationship with the firm that would interfere with the exercise of 
independent judgment with regard to matters related to the QC system 
and, if so, the identity of the person or persons and an explanation 
for the basis of the firm's determination that each such person is 
independent (including the criteria used for such determination) and 
the nature and scope of each such person's responsibilities (within 
this release, such persons who meet the outlined criteria are referred 
to as the firm's ``External QC Function (EQCF)''); \100\ and
---------------------------------------------------------------------------

    \100\ See A Firm's System of Quality Control and Other 
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Release No. 
2022-006 (Nov. 18, 2022), at 97.
---------------------------------------------------------------------------

     a description of the legal structure, ownership, and 
governance of the firm, including processes that would govern a change 
in the form of the organization (e.g., what are the relevant governing 
bodies, voting rights, and approval requirements relevant to such an 
organizational change). In addition, the proposal would revise the form 
to specify that a firm should identify any change in the applicant's 
form of

[[Page 96731]]

organization reported on Form 1, Item 1.4.
    With respect to the disclosure of the role of the EQCF within the 
audit oversight function, as proposed, the firm would have been 
obligated to report if such a role exists, and the name of any person 
occupying that role.\101\ As proposed, in the event the firm reported 
one or more persons occupying the EQCF on Form 2, the firm would also 
have been required to report on Form 3 when such a person is appointed, 
resigns, is dismissed, ceases to meet the criteria to serve in the 
EQCF, or changes roles, the date of such event, and whether the change 
was recommended or approved by any governing board or management 
committee.
---------------------------------------------------------------------------

    \101\ The Board proposed that the name of the proposed EQCF and 
QC operational roles be subject to assertions of a conflict of laws 
by non-US registered firms. The Board thinks the name of the EQCF 
and QC operational roles are distinguishable from other names called 
for by this section insofar as this name or names may not already be 
public in connection with this role.
---------------------------------------------------------------------------

General Comments
    Some commenters supported the proposed governance requirements, 
noting that they agreed that voluntary transparency reports have not 
resolved the present opacity with respect to audit firm structure, 
governance, and operations, and the amendments could mitigate the lack 
of transparency through enhanced governance reporting requirements, 
which would also increase standardization of the information available. 
Those commenters further stated they agreed that, among other things, 
enhanced governance information would allow investors, audit 
committees, and other stakeholders to better understand the practices 
of firms and differentiate among firms with respect to, for example, 
leadership, oversight of the audit practice, oversight of auditor 
independence practices, and board of directors composition, including 
independence of directors, and that requiring this information through 
a reporting requirement would increase the standardization, and 
therefore comparability, of information available to investors, audit 
committees, other stakeholders, and the PCAOB. Another commenter stated 
that the governance information may be useful to audit committees as 
they make auditor selection and retention decisions.
    One commenter stated that, while it had reservations, it agreed 
with the Board's overall objective to obtain information regarding 
audit firm governance to help investors, audit committees, and other 
stakeholders better understand firm processes and priorities, and to 
bolster the PCAOB's oversight of registered firms. Another commenter, 
which also had reservations, noted that the proposed requirements would 
provide the PCAOB, investors, and other stakeholders a view as to how a 
firm is structured.
    One commenter, while expressing other reservations, agreed that 
audit quality is linked to strong firm leadership and governance. 
Another commenter stated that the governance requirements may improve 
audit quality by helping audit committees in their decision-making and 
incentivizing firms to improve governance mechanisms, while at the same 
time noting uncertainty about whether the requirement necessarily will 
improve audit quality or whether any improvements would be meaningful 
or consequential. This commenter noted the particular relevance of 
legal, ownership, and governance structure since some firms are 
beginning to explore alternative structures including employee stock 
ownership and private equity investments, and recommended including a 
specific requirement to identify voting rights and other restrictions 
resulting from private equity investments.
    Other commenters opposed and/or questioned the usefulness of the 
proposed requirements:
     One commenter stated that the proposal did not clearly 
articulate how the Board's proposed requirement would meet its 
objective due to the duplicative nature of the disclosure requirements 
and the availability of the information through alternative means.
     Another commenter objected overall to the governance 
reporting requirements because it would include operational details of 
audit firms that would not incrementally help stakeholders assess a 
firm or its ability to deliver audit services.
     Another noted that it was unclear how the array of 
information from all firms would be useful to stakeholders in assessing 
a firm and its ability to deliver audit services.
     Other commenters generally questioned the usefulness of 
the proposed items for investors or other stakeholders and/or how they 
would use this information.
     A commenter stated that audit committees in their capacity 
of overseeing the governance of auditors would be able to request and 
secure whatever information they determine necessary to assess an audit 
firm and its ability to deliver its services.
     One commenter questioned whether naming the individuals 
involved in an audit firm's governance will provide any meaningful 
benefit. This commenter also noted that users of this information would 
presumably have to perform other research on each person in order to 
realize any benefit. Another commenter stated it is unclear what 
purpose reporting all direct reports to the principal executive officer 
would serve. Another commenter noted the potential for 
misinterpretation of certain elements, specifically highlighting 
difficulties interpreting the requirement to report all direct reports 
to the principal executive officer. Another commenter noted direct 
reports to the principal executive officer may not be publicly 
available information. Another commenter recommended striking the 
requirement to include all direct reports.
     On the other hand, another commenter stated that by 
providing the names of the individuals, it will be evidence that 
someone has been assigned to each role and, by comparing to prior 
periods, whether there has been turnover in these positions.
     Several commenters stated that there are certain elements 
of the proposed governance reporting requirements that would mandate 
disclosure of granular operational details for which the Board has 
provided no evidence either of utility or decision-usefulness; these 
include the principle executive officer, the names of the individuals 
in the roles described in paragraph .12 of QC 1000 and the processes 
that would govern a change in the form of the organization.
     One commenter stated that it found reporting of the 
process that would govern a change in the form of organization to be 
too detailed and, in some cases, these processes are fluid and could 
evolve quickly as the change is occurring. A commenter noted that a 
description of the processes governing a change in the form of the 
organization can be complex and difficult to understand without 
significant context and recommended striking the change in governance 
requirement.
     Commenters noted the availability of governance 
information to the PCAOB through the inspection process or other 
avenues.
     Commenters stated that similar governance information is 
available in transparency reports. Other commenters highlighted that 
they provided similar information in their transparency reports.
     A commenter stated that ownership--particularly 
percentages--

[[Page 96732]]

is confidential information and should not be disclosed publicly.
    One commenter stated that it found this proposed requirement 
burdensome and excessive, particularly when considering that firms 
operate in a dynamic environment and may alter their structures and 
change personnel on a frequent basis. That same commenter stated that 
the proposed requirements included excessive granularity and may 
require significant context to be understood. Another commenter stated 
that the requirement to provide description of the legal structure, 
ownership, and governance of the firm, including processes that would 
govern a change in the form of the organization (e.g., what are the 
relevant governing bodies, voting rights and approval requirements 
relevant to such an organizational change) was the type of information 
included in a partnership agreement, questioned why such information 
should be made public, and stated that it is unclear how stakeholders 
would use such information.
    One commenter suggested that static, form-based reporting regarding 
governance would not result in meaningful transparency for investors 
and other stakeholders, and that governance reporting should be 
formulated to advance the ability of stakeholders (including investors 
and audit committees) to gain a holistic understanding of a firm's 
approach to audit quality through the eyes of the firm's leadership. A 
commenter recommended, if the Board moved forward with this 
requirement, that it streamline the requirement to focus on the most 
relevant information, in order to avoid duplication or overlap with 
other requirements, which could cause confusion to stakeholders. That 
commenter specifically recommended that the Board adopt a more general 
requirement to describe a firm's governance structure, including as it 
relates to the audit practice and system of quality management, without 
specifically requiring some of the more prescriptive elements of the 
proposal, stating that a more principles-based requirement is more 
likely to be informative to stakeholders because the disclosure would 
require firms to describe relevant parts of their own governance, 
rather than structuring their disclosure around very specific 
requirements that could be more relevant to some firms than others; 
such an approach that is less prescriptive would recognize that firm 
governance structures vary. A commenter recommended allowing firms to 
incorporate their transparency reports by reference to reduce cost and 
burden.
    The Board continues to believe that requiring standardized 
reporting of specified governance information will provide useful 
information to investors, audit committees and the PCAOB. Investor 
comments on the proposal support the contention that the governance 
reporting requirements will provide meaningfully decision-useful 
information to them. With respect to audit committees, the Board agrees 
that audit committees can request specified information from firms. 
However, the standardized reporting of governance information would 
provide information across firms to facilitate comparison. The 
standardized provision of this information will not impede audit 
committees from requesting bespoke information from audit firms, nor 
from engaging with firms however they choose. The Board will likewise 
benefit from standardized information via a reporting requirement, 
notwithstanding the staff's ability to request specified information 
through the inspection process. For example, having increased and more 
standardized information will increase the efficient use of inspection 
resources by reducing supplemental or ad hoc requests.
    While certain governance information may be available for certain 
firms through, for example, transparency reports, as discussed in the 
proposal, the Board continues to believe voluntary transparency 
reporting has not adequately mitigated opacity with respect to audit 
firm governance. Such reporting is inconsistent from year to year, from 
firm to firm, and, for many firms, simply not available. Mandatory 
reporting of specified governance information will increase the 
consistency and comparability of information available to all 
stakeholders. Allowing firms to substitute voluntary transparency 
reports for specified reporting on Form 2 would be inconsistent with 
this objective. Permitting firms to link to voluntary transparency 
reporting through a PCAOB form may create a misimpression regarding the 
reliability of such information.
    With respect to suggestions to take a more principles-based 
approach, the final amendments provide for narrative governance 
disclosures, which balances the need for sufficiently prescriptive 
requirements to promote standardization and comparability with the need 
for flexibility to provide context and account for varying firm 
structures.
    In consideration of comments and to better achieve the Board's 
regulatory objectives, the Board has modified certain elements of the 
amendments to better tailor the requirements and ease implementation. 
First, the Board has eliminated the requirement to report all direct 
reports to the principal executive officer to mitigate any issues 
regarding the disclosure of personal identifying information for 
individuals whose names and positions may not otherwise be publicly 
disclosed and whose positions may not be sufficiently germane to the 
audit practice to merit public reporting. The final amendments retain 
the requirement to disclose the principal executive officer, the 
executive or executives who oversee the firm's audit practice, and the 
QC roles (as described below), as the Board thinks these roles are 
sufficiently important to the audit practice and sufficiently likely to 
be public (except as noted below). The Board has also retained the 
requirement to disclose whether the firm has a governing board or 
management committees to which the principal executive officer reports 
and, if so, the identity of the members of that board or committee. The 
Board believes such positions are of sufficient seniority to likely be 
public and that such information is important to understanding overall 
firm governance. Second, the Board has eliminated the requirement to 
provide a description of the processes that would govern a change in 
the form of organization, as the Board intends the requirement to 
provide higher level governance information and is mindful that this 
provision may introduce more complexity than intended. Striking this 
provision also increases consistency with the EU directive 
requirements.
QC Comments
    The Board received comments specific to the proposed reporting of 
QC roles. Some commenters supported reporting of some or all of the 
proposed QC roles. One commenter supported disclosure, at least for 
some firms in some form, of certain QC roles including the principal 
executive officer (as the individual with ultimate responsibility and 
accountability for the firm's system of QC as a whole) and the 
individual assigned operational responsibility and accountability for 
the system of QC as a whole. At the same time this commenter objected 
to the proposed disclosure of the EQCF or any similar role.
    Some commenters noted that certain disclosures, such as those 
related to individuals with ultimate accountability for the QC system, 
overlap with roles to be reported under QC 1000 and recommended 
eliminating duplication

[[Page 96733]]

between this requirement and QC 1000 reporting requirements. Commenters 
stated that public disclosure of the QC roles on Form 2 was 
inconsistent with confidential reporting on Form QC and/or stated that 
the disclosures related to the QC system should be confidential 
consistent with reporting under QC 1000. Another commenter highlighted 
internal duplication within the proposed governance reporting, 
specifying that both proposed Item 1.4.a (principal executive officer) 
and 1.4.e (roles identified in paragraphs .11 and .12 of QC 1000) would 
necessitate the disclosure of the principal executive officer of the 
Firm. One commenter noted that, with respect to the QC roles, QC 1000 
and Form 2 cover different periods, thus, the disclosures could be 
different between Form QC and Form 2. One commenter suggested retaining 
the disclosure of the individual with overall responsibility for the QC 
system as a whole but striking the requirement to disclose the QC 
operational roles.
    Another commenter observed that the proposal would require a firm 
to disclose whether it has an independent oversight function for the 
audit practice, while the newly adopted QC 1000, A Firm's System of 
Quality Control, would require only some firms to have an EQCF; the 
commenter stated that this could cause confusion among stakeholders who 
do not understand the difference in requirements for an EQCF between 
firms. Another recommended clarifying the Board's use of the term 
``independent oversight function'' and qualifying the description of 
such a function with the term ``brief.''
    The Board has retained the requirement to disclose the QC roles, 
including both the operational roles specified in paragraph.12 of QC 
1000 and the EQCF roles. The duplication between these disclosure 
requirements and the requirement to report these roles on Form QC was 
intentional. While the Board ultimately concluded that Form QC as a 
whole should be non-public, that did not represent a line-by-line 
determination that every item to be reported on Form QC must be 
confidential.\102\ Certain considerations that militated in favor of 
the non-public nature of Form QC, including concerns that Form QC could 
include information protected from publication by Sarbanes-Oxley, do 
not apply to the disclosure of the individuals fulfilling these roles. 
The Board believes that the QC system, and these roles within the QC 
system, are sufficiently important to a firm's governance, and are 
directly and importantly related to the firm's conduct of audits, to 
warrant public disclosure of the QC roles. Moreover, the Board does not 
believe the reporting of a small number of names is overly burdensome, 
notwithstanding that firms have to report the names on Form QC (on a 
non-public basis) and on Form 2 (on a public basis).\103\
---------------------------------------------------------------------------

    \102\ See PCAOB Rel. 2024-005, at 265-270.
    \103\ Consistent with the proposal, the Board has allowed 
assertions of conflicts of laws with respect to these QC-specific 
roles. The Board believes they differ from other reported names, for 
which it is not allowing assertions of conflicts, because they may 
not be as senior or otherwise publicly reported.
---------------------------------------------------------------------------

    With respect to the comments regarding internal duplication with 
Item 1.4, the Board acknowledges that the proposed requirement to 
report the roles and responsibilities described in paragraph .11 of QC 
1000 (individual assigned ultimate responsibility and accountability 
for the QC system) was duplicative of the requirement to report the 
principal executive officer (who would have ultimate responsibility and 
accountability for the QC system). The Board therefore has struck the 
specific reference to paragraph .11 in Item 1.4e (while retaining the 
reference to paragraph .12 of QC 1000, which describes the QC 
operational roles). Lastly, the Board has modified Item 1.4.f related 
to the QC oversight function to conform to the language in paragraph 
.28 of QC 1000, to clarify that the reporting obligation is meant to 
capture the EQCF role as described in QC 1000.
    The Board has added a note to the form including a reference to 
paragraph .28 of QC 1000 (setting forth the EQCF requirement) and 
clarifying that this disclosure applies both to firms required to have 
such a role under QC 1000 and to firms that otherwise have a role that 
meets the definition in Item 1.4.f. The reporting requirement will 
permit sufficient narrative disclosure for a firm to provide context 
regarding the nature of the firm's EQCF, including whether it has 
created the role in response to QC 1000.28 or otherwise.
    With respect to any difference in reporting periods between Form QC 
and Form 2, Form 2 provides that information provided in Part I of the 
form, which would include Item 1.4, should be current as of the date of 
the certification of Form 2. Firms should abide by that instruction. 
Any disparity between information reported on Form 2 and on Form QC 
with respect to operational roles due to differing reporting periods 
should not cause confusion for users of Form 2 given the non-public 
nature of Form QC.
    Finally, the Board proposed that the names of the individuals 
occupying QC roles be subject to assertions of a conflict of laws by 
foreign registered firms. The Board continues to think the names of 
these individuals are distinguishable from other names called for by 
this section insofar as they may not already be public in connection 
with these roles and could foreseeably be subject to a non-U.S law 
prohibiting the disclosure of personal data. Therefore, the Board has 
adopted provisions to permit assertions of conflicts of laws as 
proposed.
Other Comments
    One commenter recommended that the Board, to the extent it includes 
the proposed items on an amended form, provide text boxes for each 
response with at least 2000 characters to allow firms to provide any 
necessary explanation and context for the information disclosed. The 
Board does not think each subpart of Item 1.4, such as those calling 
for a name or names, would merit 2000 characters. However, for those 
items that ask for a description, namely Items 1.4d and 1.4f, the Board 
agrees a more extended character count is warranted.
    Other commenters recommended further study or reconsidering the 
necessity of the governance reporting and assessing whether the 
proposed information would directly contribute to audit quality. The 
Board believes its experience and the notice and comment process have 
provided an appropriate opportunity to consider the merits of the 
proposal and, further, that the Board and others will be in a better 
position to assess the effects of the reporting requirements after the 
reporting is implemented.
Network Information
    The Annual Report Form currently requires firms to identify whether 
they are a part of certain networks, arrangements, alliances, 
partnerships, or associations and, if so, to identify them and provide 
a description of those relationships.\104\ In conceiving this reporting 
requirement, the Board noted that it intended to identify arrangements 
that ``afford[ ] the firm access to resources for use in issuer audits, 
including procedures, manuals, or personnel.'' \105\ The Board 
continues to believe that reporting regarding network arrangements that 
affect the resources, financial or otherwise, available to firms in the 
performance of audits is important to investors, audit committees, and 
others in their evaluations of audit firms and audit quality. However, 
the current network-related requirement asks only for ``a

[[Page 96734]]

brief description of such relationship'' without specifying the content 
of such a description. The Board believes that the benefits of this 
reporting requirement would be enhanced by requiring greater 
specificity in reporting on network arrangements.
---------------------------------------------------------------------------

    \104\ See Form 2, Item 5.2.
    \105\ See PCAOB Rel. No. 2008-004, at 10.
---------------------------------------------------------------------------

    Network arrangements have provided members with benefits that 
research has found may affect audit quality.\106\ As the largest four 
accounting firms, which have network arrangements, still provide audits 
to the majority of publicly held companies, it also follows that most 
public company audits are conducted by firms with network affiliations. 
Currently, while the PCAOB receives information regarding member firms 
within a network, the Board does not require significant information 
about how the network interacts with and supports member firms in the 
conduct of audits.
---------------------------------------------------------------------------

    \106\ See, e.g., Kenneth L. Bills, Lauren M. Cunningham, and 
Linda A. Myers, Small Audit Firm Membership in Associations, 
Networks, and Alliances: Implications for Audit Quality and Audit 
Fees, 91 The Accounting Review 767 (2016) (finding that specialized 
expertise, solutions to staffing and geographic limitations, and 
technical trainings are among the benefits that contribute to 
improved audits performed by smaller firms).
---------------------------------------------------------------------------

    Accordingly, the Board proposed to amend Form 2, Item 5.2 to 
require a more detailed description of the network arrangement, 
including describing the legal and ownership structure of the network, 
network-related financial arrangements of the registered firm (e.g., 
loans and funding arrangements to or from the network member firm), 
information-sharing arrangements between the registered firm and the 
network (including both sharing of such information as training 
materials, audit methodologies, etc. and sharing of audit client 
information), and network governing boards or individuals to which the 
registered firm may be accountable. The Board notes it would expect 
firms to indicate specifically whether they have outstanding loan and/
or funding arrangements with their networks, in addition to noting 
whether such arrangements are permissible under their network 
arrangements.
General Comments
    Some commenters supported the expanded network-related requirement 
generally. Other commenters opposed the network-related requirement. 
Some commenters questioned the usefulness of the proposed network 
requirements, including stating the following:
     It is unclear how the PCAOB would use the information.
     The PCAOB already has access to network-related 
information.
     It is unclear how this information would inform 
stakeholder decision-making.
     The network information may be misused or misinterpreted 
and could cause confusion.
     It is unclear how users could form conclusions about 
quality from the information to be provided.
     An individual member firm may not be privy to all network 
information that the PCAOB proposes to obtain.
    Some commenters expressed concerns that certain information called 
for by the proposed requirement was too sensitive and subject to 
misinterpretation for public disclosure:
     Commenters stated that certain information, including 
network financial arrangements and legal structures, is confidential, 
proprietary, or sensitive and registered firms are not necessarily 
permitted to share such information, and/or the required disclosures 
are contrary to the Board's obligations under Sarbanes-Oxley. A number 
of firms stated the information should be collected only 
confidentially.
     A commenter stated its strong opposition to the network-
related financial obligations of the registered firm or the governing 
boards or individuals to which the registered entity may be 
accountable, noting that such information is likely to be complex and 
potentially subject to misinterpretation without sufficient context. 
This commenter also stated this information may raise legal and 
financial risks for firms, threatening audit quality; for example, 
information regarding ordinary course financial arrangements has a risk 
of misinterpretation without sufficient context, including a 
misinterpretation that a firm is at risk of failure.
     A commenter stated the legal and ownership structure, 
network-related financial obligations, and how audit client information 
may be shared are complex matters that should be confidential, risk 
being misunderstood by stakeholders who do not have the benefit of two-
way dialogue with the firm, and are better suited to the inspection 
process. This commenter also noted the complex and varying nature of 
network arrangements and that the disclosures could lead to unintended 
legal and financial consequences. Finally, the commenter questioned 
whether users of Form 2 will draw inferences about audit quality based 
only on the firm's membership in a network.
     One commenter stated that disclosure of funding or loan 
arrangements may have the unintended consequence of causing a 
misinformed loss of confidence in a member firm. Another firm stated 
the network disclosures could put some firms at a competitive 
disadvantage.
    A commenter stated that the proposed requirement wrongly focuses on 
financial strength and suggested revising the requirement to focus on 
audit methodology, staff training, and quality control, including the 
following:
     Whether the network has a common audit methodology that is 
used by all member firms.
     Whether auditors throughout the network receive the same 
or similar training.
     Whether the network establishes minimum quality control 
policies and procedures that are implemented by each member firm.
     Whether the network conducts periodic inspections of its 
member firms and, if so, the frequency of those inspections and the 
extent to which the results of inspections are disseminated throughout 
the network.
     How the information about each member firm's clients is 
communicated across the network to facilitate compliance with the 
independence rules.
    A commenter, while opposing the overall requirement, stated that 
certain elements seem more likely to be relevant to stakeholders and 
would be less costly to produce, including high-level information about 
the legal and ownership structure of the network and information-
sharing arrangements between the registered firm and the network. One 
commenter stated that proposed disclosures related to network-related 
financial obligations and information-sharing arrangements between the 
registered firm and the network are ambiguous and do not include 
quantitative or qualitative limiting factors, and are not subject to a 
materiality threshold, thus potentially requiring firms to disclose 
even nominal arrangements within a network. This commenter stated that 
the Board expand the amount of space for firms to provide disclosure 
about the networks on Form 2 to allow more complete descriptions, but 
remove (or afford both a materiality threshold for, and a 
confidentiality protection to) the proposed specific requirements that 
may expose financial or other confidential or competitive business 
information.
    Some commenters questioned whether the Board's comparability 
objective would be achieved by the proposed requirements, with one 
commenter stating that the network-related requirements would not 
provide comparability benefits, given the wide variety in network 
structures among

[[Page 96735]]

PCAOB registered firms, and that without sufficient and appropriate 
context to fully understand this type of information, it would not be 
decision-useful information for third parties.
    The Board continues to believe, as discussed more fully in the 
proposal, that it is important for investors and audit committees to 
have access to comparable information regarding the resources a 
registered firm may have to conduct audit engagements and in connection 
with other aspects of its audit practice, such as training resources. 
To the extent that network arrangements may affect access to such 
resources, enhanced reporting regarding these aspects of a network 
arrangement would inform stakeholders' evaluation of the registered 
firm and its audit practice. Requiring greater specificity with respect 
to network information should reduce the likelihood of boilerplate 
disclosures and increase the usefulness to all stakeholders. The Board 
also continues to believe that requiring this information through a 
reporting requirement would increase the standardization, and therefore 
comparability, of information collected, which would benefit all users 
of this information.
    Further, the Board continues to believe enhanced network reporting 
would inform the PCAOB's regulatory function. It would provide a 
baseline understanding of how the network arrangement influences the 
firm's governance and accountability, including oversight of its audit 
practice, and access to resources. Having this information available to 
the Board via reporting will inform the Board's scoping and planning of 
inspections.
    In consideration of comments, however, the Board has modified the 
requirement to focus on the registered entity and the aspects of its 
relationship with the network that it believes most directly relate to 
the conduct of audits. Accordingly, instead of asking for the legal and 
ownership structure of the network, network-related financial 
obligations of the registered firm, information-sharing arrangements 
between the registered firm and the network, and network governing 
boards or individuals to which the registered entity may be 
accountable, the final amendments ask the firm to provide a brief 
description of the network relationship, i.e., describing at a high 
level the network structure and the relationship of the registered firm 
to the network, including whether the registered firm has access to 
resources such as firm methodologies and training, whether the firm 
shares information with the network regarding its audits, whether the 
firm is subject to inspection by the network, and any other information 
the registered entity considers relevant to understanding how the 
network relationship relates to its conduct of audits.
    The Board believes these modifications should simplify the 
requirement. They should also eliminate or sufficiently mitigate risks 
identified by commenters, especially those associated with financial 
obligations, and focus the requirement on aspects of the network 
relationship most likely to influence the firm's conduct of audits. The 
Board further believes these modifications clarify that the requirement 
is not intended to elicit proprietary, sensitive, or confidential 
information. Rather the requirement is intended to increase the 
availability and the standardization of information that many firms in 
networks already provide. The Board notes further that the firm is free 
to provide whatever information it believes is necessary to 
contextualize the required information. In this regard, the Board 
acknowledges that the narrative disclosure required will not achieve 
perfect standardization or comparability. Nevertheless, compared to 
voluntary disclosure, where some firms do not provide such information 
and the firms that do provide network information are free from any 
parameters for disclosure, the Board believes that the required 
reporting should provide greater standardization and comparability than 
is currently available.
Comments on Interpretation
    A commenter stated that it is not clear what is meant by the word 
``accountable'' in Item 5.2.b's requirement to disclose ``network 
governing boards or individuals to which the registered entity may be 
accountable.'' A commenter stated that consistent with guidance in the 
final release on Form AP, the PCAOB should also clarify that by 
``network'' arrangements, the proposal is not referring to subsidiaries 
of the registered firm, other entities controlled by the registered 
firm issuing the audit report, or other non-accounting firm affiliates 
(e.g., related entities with the registered firm that provide tax, 
valuation, or other assistance to the registered firm as part of the 
audit) whose work on audits would be supervised by and recorded in the 
working papers of the registered firm. A commenter encouraged the Board 
to further define the existing terms and how the Board expects firms to 
report the information. One commenter requested clarity around what is 
meant by requesting the `ownership structure of the network.'
    In consideration of comments, the Board notes that Form 2 currently 
requires firms to state whether the firm has any:
    1. Membership or affiliation in or with any network, arrangement, 
alliance, partnership or association that licenses or authorizes audit 
procedures or manuals or related materials, or the use of a name in 
connection with the provision of audit services or accounting services;
    2. Membership or affiliation in or with any network, arrangement, 
alliance, partnership or association that markets or sells audit 
services or through which joint audits are conducted; or
    3. Arrangement, whether by contract or otherwise, with another 
entity through or from which the Firm employs or leases personnel to 
perform audit services.
    The network reporting requirement, currently and under the final 
amendments, applies if the firm answers affirmatively in response to 
any of the described arrangements. The Board believes that these 
descriptions of what constitutes a network or other relationship are 
sufficiently specific. The Board is not aware that interpretive 
difficulties related to these provisions have arisen previously. 
Moreover, because of the modified requirement, which no longer contains 
terms commenters requested clarity on, the Board does not believe that 
further clarification is warranted.
Comments on Authority
    Commenters stated that the network is not registered and requiring 
reporting regarding non-registered entities may be beyond the scope of 
the PCAOB's authority. The Board continues to believe that it is 
squarely within the Board's authority to request information about 
aspects of network relationships that may influence the conduct of 
audits for the reasons noted above and in the proposal. The purpose of 
required network reporting has not historically been, nor is it now, to 
purport to regulate networks or other unregistered entities. Further, 
the Board believes that the modifications to this provision clarify the 
Board's focus on the registered entity itself.
Comments on Scaled Requirements
    The Board also solicited comment on whether the network-related 
requirements should be scaled in some fashion. A commenter stated that 
networks of many smaller firms are not a significant factor in those 
firms'

[[Page 96736]]

provision of audit services to issuer or broker-dealer clients and 
therefore this requirement should apply only to larger firms that 
perform a significant number of multinational audit engagements. 
Another commenter stated that it supported limiting the types of 
networks that are subject to the requirements to reduce the cost and 
reporting burden on smaller firms. The Board believes that the three 
categories of network relationship that Form 2 currently delineates 
continue to be important subjects of reporting, notwithstanding the 
size of the firm or the network, as they may influence the firm's 
conduct of audits irrespective of the size of the firm or the network. 
The Board further believes that modifications to this requirement 
should simplify reporting and reduce the burden for all firms, 
including smaller firms. Lastly, to the extent a firm is a member of a 
network but the relationship is simple or has a limited effect on its 
audit practice, the reporting would be similarly limited, thereby 
limiting the burden on the firm.
Special Reporting
1. Special Reporting Timeframe
    The Special Reporting Form currently imposes a 30-day reporting 
requirement for certain specified events. When the Board originally 
conceived its special reporting requirements through Form 3, it 
provided that the specified special reporting events were ``potentially 
of some immediate concern to the Board'' \107\ and that ``the public 
interest, as well as the ability to consider whether prompt action is 
warranted by the Board's inspection staff or enforcement staff, would 
be served by contemporaneous reporting of the event.'' \108\ The Board 
continues to believe that contemporaneous reporting of specified events 
serves both the Board's regulatory function and the public interest. In 
the proposal, the Board considered changes in the information 
environment in the over 15 years since the Board adopted the 30-day 
reporting deadline and concluded that more prompt special reporting is 
practicable and warranted.
---------------------------------------------------------------------------

    \107\ PCAOB Rel. No. 2022-006, at 10.
    \108\ PCAOB Rel. No. 2008-004, at 17.
---------------------------------------------------------------------------

    Accordingly, the Board proposed to revise Form 3's reporting 
deadline to 14 days after the triggering event occurs, or more promptly 
as warranted.
Comments Received
    Some commenters supported the proposed acceleration of the special 
reporting deadline. One commenter agreed that 14 days was an 
appropriate timeframe and that the reduced reporting period would mean 
investors can have access to important information on a more timely 
basis.
    Some commenters opposed and/or expressed concerns about the 
accelerated deadline:
     Commenters stated that they were concerned that the 
proposal does not adequately justify reducing the deadline, that it is 
unclear why the deadline needs to be accelerated, and that the PCAOB 
should identify what immediate actions it would take in response to the 
expedited reporting deadlines. Other commenters stated that is unclear 
what the justification is for increased cost and small firms will be 
disproportionately impacted.
     A commenter stated that to justify additional costs firms 
will incur to increase monitoring for such events, the Board should 
demonstrate what specific actions it would take as a result, and the 
benefit of earlier action.
     One commenter stated that it was concerned that 
accelerating the special reporting will result in otherwise avoidable 
errors in reports, pointing to the Board's conclusion in the 2008 
reporting adopting release that 14 days was insufficient. That 
commenter stated that for certain limited and highly material events 
(e.g., acquisition/divesture, financial stress, etc.) a more 
accelerated timetable for reporting may benefit the PCAOB's oversight 
activities, but stated that it did not believe that accelerated 
reporting aligning with SEC 8-K reporting requirements is appropriate.
     One commenter stated that it did not support the 
accelerated deadline, pointing to the Board's previous conclusion in 
the 2008 reporting adopting release, and stating that there do not 
appear to be compelling reasons to shorten the timeframe now. This 
commenter stated that matters subject to reporting may warrant 
additional legal advice before the firm can conclude it has a reporting 
obligation, including because of complexity related to the interactions 
between U.S. and non-U.S. laws. Further, this commenter stated that 
there would be increased costs associated with increased monitoring 
that would be required due to the accelerated deadline.
     One commenter stated that, to the extent the Board is 
relying on the assumption that collection processes can be automated to 
justify the proposed change, most of the information currently required 
to be reported on Form 3, as well as the additional information the 
Board is proposing to require, largely does not lend itself to 
automated tracking and processing, contending that the issues are 
infrequent, triggered by third party action, require the exercise of 
judgment, and potentially involve seeking legal advice. Another 
commenter similarly stated that 14 days is insufficient, noting that 
the events occur infrequently and unexpectedly and require analysis and 
assessment, and legal advice. Other commenters stated that Form 3 
reporting is not conducive to automation.
     A commenter noted that the reporting clock currently 
starts on the date that any partner, shareholder, principal, owner or 
member of the firm first becomes aware of the facts that trigger 
special reporting, and that a 14-day requirement would make it more 
challenging to allow time for internal processes to complete.
     Some commenters stated that the accelerated deadline would 
disproportionately impact non-U.S. firms, including because there may 
be issues as to whether a matter should be reported, whether a matter 
should be confidential, and/or whether a firm should withhold 
information due to legal conflicts. One commenter stated that it has 
observed firms struggling to comply with the 30-day deadline and 
recommended the PCAOB take into account that smaller firms do not have 
full time departments of lawyers and other professionals whose only job 
is to monitor compliance with PCAOB reporting forms.
     One firm opposed the acceleration without explanation. A 
commenter recommended maintaining the 30-day deadline (or phasing in a 
shortened deadline) for the more complex disclosures, such as those 
required to be reported in existing Part IV (Certain Proceedings) and 
Part V (Certain Relationships) of Form 3, as well as for the proposed 
new disclosures in Part VIII (Material Event Reporting).
     A commenter stated that smaller firms should be exempted 
from the accelerated reporting deadline, as the firm reporting 
requirements together would disproportionately impact smaller firms.
Response to Comments
    In consideration of comments and the Board's intended regulatory 
objectives, the Board has not adopted the proposed acceleration of the 
Form 3 reporting deadline for existing Form 3 items. The Board is 
mindful of costs, particularly for smaller firms, and the challenges 
and costs associated with implementing monitoring and reporting systems 
for the accelerated timeline for all Form 3 reporting items. The Board 
has, however, adopted the accelerated

[[Page 96737]]

reporting timeframes for the two new special reporting items: material 
event reporting (14 days) and cybersecurity incident reporting (five 
business days), discussed in a section below.
    As an initial matter, limiting the accelerated reporting timeframe 
to these two items will mitigate costs. In addition, the Board believes 
these items are distinguishable from existing Form 3 items. First, 
these items represent particularly time-sensitive matters, in contrast 
to existing Form 3 reporting triggers, which is a central impetus for 
implementing these reporting items. Second, these items are to be 
reported on a confidential basis, in contrast to existing Form 3 
reporting triggers, which should reduce costs associated with reporting 
and facilitate more timely reporting, i.e., reduce the need for 
extensive reviews due to public disclosure.
    The Board believes eliminating the proposed accelerated timeframe 
for existing Form 3 items and implementing it for new, more urgent 
reporting items strikes an appropriate balance between mitigating 
burdens associated with a shorter reporting timeframe and helping to 
ensure timely reporting of events that are sufficiently sensitive and 
urgent to merit more timely, confidential reporting to the Board.
    The Board also received comments requesting clarification of the 
requirement to report within 14 days ``or more promptly as warranted.'' 
This language no longer applies to existing Form 3 items, as the Board 
has retained the 30-day reporting period without modification. The 
Board has retained this language for material event reporting, which is 
subject to the accelerated timeframe. The Board reiterates that, where 
the reportable events would be publicly reported, either in media or 
through SEC reporting or otherwise, before the 14-day period has 
elapsed, more prompt reporting is warranted. In addition, firms should 
consider more prompt reporting with respect to particularly urgent 
events that may compromise the firm's ability to conduct audits on a 
timeframe shorter than 14 days.
2. Material Event Reporting
    In the proposal, in addition to the reporting deadline, the Board 
considered that certain significant events that have implications for 
the firm's operations, and therefore its audit practice, are not 
currently captured by the types of events required to be reported on 
Form 3. Thus, the Board concluded that certain additional special 
reporting triggers are warranted. The Board proposed to impose a 
general special reporting obligation for any event or matter that poses 
a material risk, or represents a material change, to the firm's 
organization, operations, liquidity or financial resources, or 
provision of audit services. As proposed, such events or matters would 
include, but would not be limited to:
     Any event or matter that has or is reasonably likely to 
materially impact the firm's total revenue as reported in its last Form 
2 filing; \109\
---------------------------------------------------------------------------

    \109\ This may include, but is not intended to be limited to, a 
solvency-threatening change in revenue. The Board notes an increase 
in revenue would also warrant reporting if it would necessitate 
significant audit staffing increases or other comparable 
organizational changes.
---------------------------------------------------------------------------

     A determination that there is substantial doubt about the 
firm's ability to continue as a going concern; \110\
---------------------------------------------------------------------------

    \110\ Firms may refer to the applicable audit standard and/or 
applicable financial reporting framework requirements for guidance 
in connection with this item.
---------------------------------------------------------------------------

     Planned or anticipated acquisition of the firm, change in 
control, or restructuring, including external investment and planned 
acquisition or disposition of assets or of an interest in an associated 
entity;
     Entering into or disposing of a material financial 
arrangement that would affect the firm's liquidity or financial 
resources (such as a line of credit, revolving credit facility, loan, 
or other financing), or group of related arrangements;
     Any actual or anticipated non-compliance with loan 
covenants;
     Material changes in the insurance or loss reserves of the 
firm and material changes related to captive insurance or reinsurance 
policies, including events that triggered material claims on such 
policies;
     Material changes in the amount of unfunded pension 
liabilities;
     That the firm has entered into, or plans to enter into, a 
definitive agreement or other arrangement that would cause a material 
change to the firm's operations or provision of services (e.g., 
spinning off a consulting business or severing a portion of the 
business for private equity involvement);
     That the firm has obtained a license or certification 
authorizing the firm to engage in the business of auditing or 
accounting and which has not been identified on any Form 1 or Form 3 
previously filed by the firm, or there has been a change in a license 
or certification number identified on a Form 1 or Form 3 previously 
filed by the firm;
     A change in principal executive officer; or
     Any other planned or anticipated material amendments or 
changes to the firm's organization, legal structure, or 
governance.\111\
---------------------------------------------------------------------------

    \111\ For example, a plan to restructure to separate auditing 
and non-auditing functions would warrant reporting under the 
proposed requirement. Such reporting should capture transactions 
whereby a legal separation of entities would result in assurance 
business partners maintaining or receiving an ownership interest in 
a new or existing non-assurance entity.
---------------------------------------------------------------------------

    The Board proposed that material events be reported confidentially.
General Comments
    Some commenters supported the proposed material event reporting and 
agreed that it would enhance understanding of significant events at 
firms, including events that may pose a risk not just to an individual 
firm, but to the broader market for audit services, such as a large 
firm exiting the market. Some commenters noted they appreciated the 
importance of timely notification to the Board of material events.
    Some commenters generally opposed the material event reporting. One 
commenter stated that the proposed requirement is overly broad and 
subject to hindsight bias. This commenter stated that the requirement 
included an ambiguous set of possible scenarios and may create 
operational challenges in maintaining sufficient quality management 
controls over reporting. Some commenters questioned how the information 
would be useful or impact a firm's provision of audit services, with 
one commenter stating that the only provision that would impact audit 
services was the going concern item. A commenter stated that the listed 
examples lack clarity and that firms need flexibility in conducting 
operations, including planning and investing based on their overall 
operating objectives, without having to disclose these plans to the 
PCAOB. That commenter also stated that it did not believe that 
financial or operational information related to the firm's non-audit 
practice is relevant to the PCAOB's oversight. It further questioned 
how a firm would account for the portion of their operations under the 
PCAOB's jurisdiction, asking if a firm would be required to come up 
with an allocation analysis.\112\ Relatedly, a commenter also expressed 
that clarity is needed over whether the reporting requirements cover 
the firm as a whole, or whether reporting is required in

[[Page 96738]]

relation only to any issuers within PCAOB remit.
---------------------------------------------------------------------------

    \112\ This commenter also offered a number of objections to 
public disclosure of information generally and with respect to 
particular items, which are inapposite given the confidential nature 
of the reporting.
---------------------------------------------------------------------------

    A commenter stated that the events that would trigger special 
reporting are too broadly defined and inconsistent with the PCAOB's 
mission. Another commenter stated that such information should be 
required through the inspection process.
    Some commenters expressed concerns regarding the reporting of 
planned or anticipated events and/or recommended removing such 
provisions:
     A commenter stated that situations where impact is 
uncertain or unpredictable, such as the inclusion of events or matters 
that may reasonably impact a firm's total revenue, raise questions 
about how certain events, such as economic conditions or the COVID-19 
pandemic, should be treated. The commenter stated further that there is 
uncertainty regarding how a firm would determine the timing of planned 
or anticipated events and further clarification from the Board on how 
to handle these types of events would be valuable.
     A commenter stated that it did not believe it would be 
appropriate or practical for a firm to file Form 3 for planned or 
anticipated events; it disagreed with the proposal's discussion of 
public relations plans as an indicator of future events, stating that 
events can change significantly between the commencement of 
communication plans and the execution of a definitive agreement.
     A commenter stated that reporting should apply to events 
that have taken place, not to those that are reasonably likely to 
happen.
     A commenter recommended limiting reporting to events that 
have been completed, stating that otherwise firms may be obligated to 
report on normal course matters that do not come to fruition.
     A commenter stated that it was concerning that the 
proposed requirements related to anticipated events and the related 
ambiguity would leave the firms subject to second-guessing and 
therefore would likely result in overreporting, with the attendant 
increased costs and unnecessary exposure of highly proprietary 
information.
     A commenter stated that the proposed threshold of 
``substantially likely'' as a trigger for reporting is judgmental, that 
many of the events listed in the proposal may take some time to 
develop, and that it may not be clear when the event is substantially 
likely to occur. This commenter also stated that it was concerned about 
whether and how the PCAOB staff may challenge those judgments during an 
inspection.
    Some commenters offered specific comments on certain enumerated 
items in the non-exhaustive list:
    Any event or matter that has or is reasonably likely to materially 
impact the firm's total revenue as reported in its last Form 2 filing.
     Commenters suggested modifying this item to strike 
``reasonably likely to'' and to pertain to total fees billed rather 
than revenue.
     A commenter stated that the purpose of this requirement is 
not clear, as the commenter stated that firms are already required to 
communicate when they resign from an engagement and if a firm decides 
to exit audits in a particular industry, appropriate communication will 
be provided through the existing requirement. The commenter also stated 
that this requirement will disproportionately impact smaller firms 
because every decision could be material to the firm.
    Planned or anticipated acquisition of the firm, change in control, 
or restructuring, including external investment and planned acquisition 
or disposition of assets or of an interest in an associated entity.
     Commenters supported adding a materiality threshold.
     A commenter suggested deleting this item.
     A commenter stated the requirement lacked clarity with 
respect to the term planned and anticipated.
    Entering into or disposing of a material financial arrangement that 
would affect the firm's liquidity or financial resources (such as a 
line of credit, revolving credit facility, revolver, loan, or other 
financing), or group of related arrangements.
     A commenter stated this requirement is particularly 
onerous and administratively burdensome and would be a significant 
distraction from the operations of a firm, and questioned whether this 
includes switching financial institutions or entering into lease 
arrangements and what the purpose of requiring this information is.
     A commenter suggested explicitly excluding routine 
transactions regarding material financial arrangements that are entered 
into as a matter of course, such as refinancing based on interest rate 
changes, or other transactions that do not have a material impact on 
the firm's liquidity or financial resources.
     A commenter suggested that in most cases, a routine 
financing arrangement will have no impact on a firm's audit practice so 
it is unclear how the materiality principle would be applied to these 
transactions. This commenter stated that a qualitative materiality will 
be much more relevant to a firm's reporting of this type of 
arrangement.
    Any actual or anticipated non-compliance with loan covenants.
     Some commenters supported adding a materiality threshold.
     A commenter suggested modifying this item to strike ``or 
anticipated.''
    Material changes in the insurance or loss reserves of the firm and 
material changes related to captive insurance or reinsurance policies 
including events that triggered material claims on such policies.
     A commenter questioned whether this would include events 
that triggered material claims on such policies and stated that the 
purpose of this public disclosure is not clear.
     A commenter stated that this requirement is beyond the 
scope of the PCAOB's oversight authority, and that unless such events 
fall within the scope of existing Form 3 reporting requirements, it 
does not believe this item should be included in a final rule.
     A commenter suggested striking this item.
     A commenter stated that the requirement is well beyond the 
scope of the PCAOB's oversight authority and that, unless such events 
fall within the scope of existing Form 3 reporting requirements, it 
does not believe this item should be included in a final rule.
    Material changes in the amount of unfunded pension liabilities.
     A commenter questioned, to the extent that these assets 
are invested in the stock market, whether a firm would have to provide 
notice in the event of a material change in the stock market.
    The firm has entered into, or plans to enter into, a definitive 
agreement or other arrangement that would cause a material change to 
the firm's operations or provision of services (e.g., spinning off a 
consulting business or severing a portion of the business for private 
equity involvement).
     A commenter stated this element should be required only 
where a definite agreement has been entered into.
     A commenter suggested striking ``or plans to enter into'' 
from this item and broadening it to include changes to the firm's 
ownership, and governance.
    Any other planned or anticipated material amendments or changes to 
the firm's organization, legal structure, or governance.
     A commenter suggested striking this item.
    A commenter stated that the benefit in some instances of disclosing 
material positive changes, rather than only

[[Page 96739]]

material adverse changes, is unclear, citing that the objective of 
reporting favorable material changes in the amount of unfunded pension 
liability lacks clarity. A commenter suggested amending the ``non-
exhaustive list'' of events that if material, should be reported to 
include: ``Notifications from regulatory agencies (e.g., Boards of 
Accountancy, IRS, FBI).''
    A commenter stated that the non-exhaustive list provided by the 
PCAOB is beneficial in identifying potential subjects for material 
event reporting but that additional guidance would enhance clarity in 
interpreting and applying the requirement. By contrast, other 
commenters expressed concern with the nature of non-exhaustive nature 
of the list, stating that reporting requirements should not contain 
subjective language or be open to interpretation, that the PCAOB should 
consider providing specific parameters of what should be reported 
rather than providing a non-exhaustive listing.
    Some commenters stated that certain example events include the 
concept of materiality directly in the example but the title of the 
reporting and the lead-in to the listing of potential events includes 
the concept of materiality more broadly, and that it is unclear whether 
the concept of materiality applies to all enumerated items.
Response to General Comments
    The Board continues to believe that timely, confidential \113\ 
reporting of significant events (including solvency-threatening events) 
that may impact the firm overall, and therefore its provision of audit 
services, will provide the PCAOB with more complete information 
regarding the audit firm and its audit practice. Such reporting will 
enhance the Board's understanding of significant events at the 
registered firms it oversees, including events that may pose a risk not 
just to an individual firm, but to the broader market for audit 
services, such as a large firm exiting the market. The objective of 
this provision is not to require reporting regarding aspects of a 
firm's business that are not subject to PCAOB oversight but to require 
reporting of significant events that the firm experiences that will 
affect its audit practice in such a manner as to warrant notifying the 
Board promptly. As discussed in the proposal, these are the types of 
events that some firms have in the past notified the Board of 
informally, suggesting the appropriateness of notifying the Board of 
such events. Creating a formal requirement will increase clarity 
regarding and uniformity in reporting of such events.
---------------------------------------------------------------------------

    \113\ The Board has added a note and instruction to Form 3 to 
clarify the confidential status of information reported under this 
item.
---------------------------------------------------------------------------

    Constructing the provision in the proposal as a general requirement 
with a non-exhaustive list of included reporting events was intended to 
provide parameters for disclosure while maintaining flexibility to 
accommodate events that may not be included in the narrowly defined 
enumerated events. The individually enumerated items were meant to 
capture scenarios the Board could foresee would merit reporting and to 
define them with sufficient specificity to provide adequate guidance to 
firms. The use of the materiality threshold, which the Board 
acknowledges requires greater judgment on the part of the firm than 
bright line disclosure requirements, was meant to limit the focus of 
reporting to events that would have a significant enough impact on the 
audit practice to warrant prompt reporting. (See below for further 
discussion of the materiality threshold.) The Board continues to think 
this basic structure--general requirement, non-exhaustive enumerated 
items, and materiality qualifier--is appropriate. Given that the 
enumerated list captures the scenarios the Board foresees are 
appropriate for reporting, the Board believed that reporting outside 
the list is likely to be relatively infrequent, but the Board does not 
wish to foreclose the possibility entirely.
    In response to several comments, the requirement is not intended to 
capture routine or recurring events. The Board has added a note to this 
effect to the form. In this regard, the Board does not believe 
significant changes to the firm's monitoring systems should be 
required. The requirement is intended to focus on the types of events 
that firm leadership should already be aware of.
    In response to the comment regarding whether allocation analyses 
are required, the requirement is only to report the event, not to 
analyze or quantify the precise effect on the audit firm. There is no 
requirement or expectation that firms would provide any kind of 
analysis in connection with this reporting event, only a brief 
description, which is tailored to alert the Board to the event and 
provide sufficient information for the Board to understand at a high 
level the nature of the event and determine if it wishes to request 
additional information from the firm.
Scaling the Requirement
    In consideration of comments and consistent with the Board's 
regulatory objectives, the Board has limited the firms subject to this 
requirement to registered public accounting firm that, during the 
preceding calendar year, issued audit reports with respect to more than 
100 issuers (i.e., annually inspected firms). The Board believes such 
an accommodation will help limit the burdens associated with the 
reporting requirements to larger firms best able to bear them. In 
addition, the Board believes that material events at larger firms 
subject to annual inspection are more likely to have potential 
spillover effects to the broader market and therefore this limitation 
is more in line with the objective of this reporting requirement.\114\ 
Furthermore, the revisions to Form 2 that the Board has adopted, which 
are applicable to all firms, capture information analogous to certain 
of the special reporting requirements (e.g., principal executive 
officer and other governance information), thus providing a continual 
reporting touchpoint for smaller firms as well.
---------------------------------------------------------------------------

    \114\ This is not to suggest that the material events enumerated 
would not occur at smaller firms, only that the reporting required 
under Item 8.1 is applicable only to annually inspected firms.
---------------------------------------------------------------------------

Modifications to the Enumerated List
    While the Board believes the general approach it proposed is 
appropriate, the Board has modified the reporting item in several ways 
to promote clarity, ease implementation, and better focus the provision 
on the firm's audit practice.
    First, the Board has modified the general requirement to include 
the qualification that events must affect the provision of audit 
services. The final item will thus apply to any event or matter that 
poses a material risk, or represents a material change, to the firm's 
organization, operations, liquidity, or financial resources, in such a 
manner that it will affect the provision of audit services. This will 
clarify that the objective of the reporting is to capture material 
events at the firm level that will ultimately affect the audit 
practice.
    As an additional change, after considering comments, the Board has 
removed proposed language related to planned or anticipated events and 
restricting the reporting to events that have occurred as the Board is 
mindful that it may call for speculative judgments. The Board believes 
this will reduce complexity, ambiguity, and the risk of overreporting. 
However, the Board notes that certain events are defined as agreements 
to undertake certain action, i.e., entering into a definitive agreement 
to restructure, not

[[Page 96740]]

the restructuring itself, would trigger reporting. Further, the Board 
has added a materiality qualifier to all events except the change in 
principal executive officer and licensure events to clarify it does not 
intend to capture routine business events.
    Below the Board illustrates changes to each element of the list and 
introductory language:
[GRAPHIC] [TIFF OMITTED] TN05DE24.000

    This change reflects the clarified focus on the audit practice 
discussed above.
[GRAPHIC] [TIFF OMITTED] TN05DE24.001

    This reflects a conforming change in light of modifications to the 
fee reporting item. The Board continues to believe both material 
increases and decreases in revenue are appropriate for reporting. 
Material decreases may reflect significant solvency issues, while 
material increases may necessitate staffing or other significant 
changes to accommodate new areas of business. The Board has retained 
the phrase ``is reasonably likely to'' in this item. The Board believes 
this is distinguishable from instances where the Board has stricken 
language related to planned or anticipated events. Here, the event 
itself has occurred and it is the effect on the firm's fees that is 
anticipated. The Board believes such language is necessary as fees are 
reported for an annual period; waiting until the actual change in 
reported fees would result in reporting of the event that is too 
delayed (i.e., would result only in annual reporting of such an event).
     A determination that there is substantial doubt about the 
firm's ability to continue as a going concern.
    This item is unchanged from the proposal. The Board continues to 
believe that substantial doubt regarding a firm's ability to continue--
and therefore to conduct audits--is an appropriate subject for special 
reporting.
[GRAPHIC] [TIFF OMITTED] TN05DE24.002

    The Board has eliminated this item as it has been consolidated into 
another item below (definitive agreements that would cause a material 
change to the firm).
[GRAPHIC] [TIFF OMITTED] TN05DE24.003

    In consideration of comments, this change is to clarify that the 
effect of the financial arrangement should be material and exclude 
routine events. The Board continues to believe that material changes in 
a firm's access to

[[Page 96741]]

resources could importantly impact the provision of audit practice and 
are therefore appropriate subjects for reporting.
[GRAPHIC] [TIFF OMITTED] TN05DE24.004

    This change is to eliminate anticipated events, as discussed above. 
Non-compliance with loan covenants could lead to a loss of credit or 
access to other funding sources that may impact the firm's ability to 
conduct audits. Because of this, the Board believes that any non-
compliance with loan covenants would be material and is not adding a 
materiality qualifier to this item.
     Material changes in the insurance or loss reserves of the 
firm and material changes related to captive insurance or reinsurance 
policies including events that triggered material claims on such 
policies.
    This item remains unchanged from the proposal. The Board thinks it 
is clear that it applies only to material changes and material claims 
as formulated.
[GRAPHIC] [TIFF OMITTED] TN05DE24.005

    This change reflects the Board's agreement with commenters that 
limiting this item to adverse changes will elicit more useful 
reporting.
[GRAPHIC] [TIFF OMITTED] TN05DE24.006

    The changes to this item broaden its scope, such that the Board can 
delete other enumerated items, and streamline the list as a whole. The 
changes also reflect the removal of anticipated events described above.
     That the firm has obtained a license or certification 
authorizing the firm to engage in the business of auditing or 
accounting and which has not been identified on any Form 1 or Form 3 
previously filed by the firm, or there has been a change in a license 
or certification number identified on a Form 1 or Form 3 previously 
filed by the firm.
     A change in principal executive officer.
    These two items remain unchanged from the proposal. The Board 
continues to think they are appropriate subjects for special reporting.
[GRAPHIC] [TIFF OMITTED] TN05DE24.007

    This item has been deleted as the definite agreement item is 
sufficiently broad to make this item redundant.
    The Board believes these changes are responsive to commenters and 
will focus the reporting on events that will affect the audit practice. 
In addition, insofar as the changes clarify and streamline the 
requirement, the Board believes they should ease the burdens of this 
requirement for all firms, including smaller firms.
Comments on Materiality Interpretation
    The Board also received comments on the application and 
interpretation of the term ``material.'' A commenter recommended 
amending the proposed requirements to insert a footnote to the first 
reference of ``material'' to explain the meaning of the term, including 
the term's relationship to the ``SEC guidance'' on materiality. Other 
commenters expressed concerns regarding operationalizing the 
materiality threshold. A commenter stated that the law on what 
constitutes material information for accounting firms is not well-
developed. A commenter stated that the proposal's discussion of 
materiality does not align with any current definition of the term in 
the securities laws, case law, or common commercial agreements. A 
commenter stated that the Board should be clearer on materiality 
guidance and it should be included in the rule. This commenter 
recommended being clearer that qualitative materiality considerations 
may often be more relevant to this determination than quantitative 
ones, stating that firm revenue may change in ways that might be 
quantitatively material in an audit context, but such changes usually 
do not pose material risk, and, therefore, should not require Form 3 
reporting.
    A commenter stated that the SEC's guidance on materiality judgments 
in Staff Accounting Bulletin No. 99 (SAB 99) referenced in the release 
is not a workable threshold for reporting, and that the PCAOB should 
better define the threshold for reporting and provide

[[Page 96742]]

examples to clearly illustrate its intended reach. Another commenter 
stated that the evaluation of materiality related to this reporting is 
overly broad and challenging to apply, that the analogy to the SEC 
guidance on qualitative materiality does not translate to the type of 
reporting the PCAOB proposes, and that clarity is needed to define what 
is meant by a material circumstance or event, as the qualitative 
aspects of circumstances that may influence the degree of trust or 
reliance that a reasonable investor would place in the audit report are 
too broad.
Response to Materiality Comments
    As discussed above, the Board acknowledges that applying a 
materiality threshold will require greater judgment than a bright line 
reporting trigger.\115\ The use of the materiality threshold is meant 
to limit reporting to those events that warrant special reporting, 
while retaining some flexibility to account for unforeseen or difficult 
to define events. The Board believes some threshold is required. The 
Board considered using ``significant''--as evidenced by the discussion 
in the release, the Board is generally seeking reporting of events 
that, consistent with the common understanding of the term, are 
significant. However, the term ``significant,'' like any threshold, 
would also require some definition or guidance. The Board has used the 
term ``significant'' in connection with cybersecurity incident 
reporting, discussed below. The Board defined the term narrowly and 
specifically there because it wants a more concrete threshold. By 
contrast, this requirement is intended to be more elastic. Materiality 
is meant to act as a limitation on reporting, but one that permits 
greater judgment on the part of the firm.
---------------------------------------------------------------------------

    \115\ A commenter stated generally that the proposed 
requirements included a mix of rules-based and principals-based 
requirements, and for requirements that include a materiality 
determination or those that use language requiring the exercise of 
judgment as to what should be reported, the commenter urged the 
Board to embrace the spirit of principles-based requirements and not 
use disagreements about firms' good faith judgments as a basis for 
increasing enforcement cases. As discussed in this section, the 
materiality threshold is intended to act as a limitation on the 
information required to be reported to reduce burden of reporting 
while still eliciting significant information. Generally, 
requirements that permit judgment, including those that include a 
materiality threshold, are intended to provide flexibility to tailor 
disclosure appropriately based on a firm's understanding of its 
business. The Board would exercise appropriate discretion in an 
inspection or enforcement context.
---------------------------------------------------------------------------

    The Board continues to think materiality is the appropriate 
threshold and one that auditors are familiar with. Based on comments, 
the Board no longer believes that the discussion of materiality in the 
proposal referencing investor reliance on the audit report--namely, the 
statement that material events should be understood as those that may 
affect the audit practice or companies under audit so as to influence 
the degree of trust or reliance that a reasonable investor would place 
in the audit report and therefore the financial statements--was 
clarifying. As an initial matter, based on comments, the Board does not 
think that formulation is consistent with the manner in which audit 
firms would apply materiality vis-[agrave]-vis the audit firm. In 
addition, upon reflection, premising the requirement on the investor 
perspective sets too high a bar, given the more indirect relationships 
of investors to the audit firm.
    The Board continues to believe that the general principles of 
materiality set forth in SEC guidance and related materials is 
appropriate to consider and apply in this context, and familiar to 
auditors. Namely, a materiality determination would involve 
consideration of both quantitative and qualitative considerations, with 
``qualitative'' materiality referring to surrounding circumstances that 
would inform evaluation of an event. However, the perspective, or lens 
through which to apply those principles is not the investor's but that 
of a reasonably prudent audit partner. This is not to say that 
reporting is restricted to events that the firm has already announced 
to its partnership. Rather, the analysis asks whether a reasonably 
prudent audit partner would want to be informed of this information. 
The Board believes the examples in the enumerated list are sufficient 
examples of the types of events subject to reporting under this 
standard. The Board agrees with commenters that the materiality 
assessment will generally be qualitative rather than quantitative, even 
with respect to financial events.
    To codify this approach, the Board has added the following note to 
Item 8.1: The term ``material'' should be understood to limit the 
reported information to those matters about which reasonably a prudent 
audit firm partner would want to be informed, applying the general 
principles of qualitative materiality familiar from the securities law 
context. This understanding of materiality is applicable only to 
reporting under Item 8.1. This item is not intended to capture routine 
or recurring events.
Comments on the Reporting Clock
    The Board solicited comments on when the reporting clock should 
start, including whether, for material event reporting, it should begin 
on the date the firm determines an event to be material. A commenter 
stated that changing the start date of the reporting clock to be the 
date on which the firm determines the event to be material could 
facilitate compliance and make the timeline more operable. A commenter 
stated that it believes there needs to be clarity around the trigger 
for accelerated reporting, and suggested retaining the existing trigger 
of when any partner, shareholder, principal, owner, or member of the 
firm first becomes aware that the event is pending and adding a second 
materiality consideration. Another commenter seemed to agree with 
starting the reporting clock on the materiality determination. One 
commenter stated that is untenable for the standard to be the date 
``any partner . . . first becomes aware of the facts'' and the special 
reporting timeframe should be aligned with the knowledge of relevant 
facts by firm leadership.
    As an initial matter, the Board has not altered the trigger for the 
start of the reporting clock for any existing Form 3 items. The Board 
is not aware that there is any implementation difficulty in practice 
for existing Form 3 items related to the existing trigger.
    For material event reporting, however, the Board continues to think 
it is appropriate to begin the reporting period upon the determination 
that an event is material, especially in light of the shorter reporting 
timeframe for material events. This approach will accommodate an 
informed and potentially deliberative process involved in making a 
materiality determination and the possibility that the materiality 
determination may not in some instances occur on the same day the event 
occurs. However, the Board notes that it is the Board's expectation 
that materiality determinations not be unreasonably delayed.
Comments on Authority
    Some commenters questioned the Board's authority to require 
reporting beyond the PCAOB's oversight of issuer audits. One commenter 
stated that the Board should focus its disclosure requirements to 
events that have an impact on the firm's ability to perform quality 
audits of issuers and as such should not extend to areas beyond the 
Board's jurisdictional authority. Another commenter stated that certain

[[Page 96743]]

actions the Board discusses in the proposing release appear to fall 
outside the Board's mandate--that is, those similar to what would be 
expected of a prudential regulator. That commenter further stated that 
the PCAOB should not unilaterally assign itself prudential regulator-
type responsibilities absent legal authority (i.e., without further 
action by Congress), and the proposed amendments to Form 3 and 
requirements to obtain financial statements from the largest firms 
could be viewed by investors as the PCAOB doing so. Other commenters 
stated that the reporting would be more appropriate for a prudential 
regulator which the PCAOB is not.
    The Board is not purporting to assert operational control over 
audit firms. The intention of the proposed reporting requirements is 
not to elicit information regarding non-audit operations, but to elicit 
information regarding events that will affect the firm's audit 
practice. The Board believes the modifications discussed above 
emphasize this and tailor the requirements to achieve this objective.
Cybersecurity
1. Cybersecurity Incident Reporting
    The Board knows that firms experience cybersecurity incidents. The 
Board further knows that such incidents have the potential to cause 
substantial harm to audit firms, companies under audit, and investors 
through, for example, the disruption of the provision of audit services 
or the exposure of confidential information to the public. The PCAOB 
has no formal mechanism to receive prompt information about such 
incidents and any responses. Accordingly, the Board proposed to 
implement special reporting requirements for prompt reporting of 
significant cybersecurity incidents. Specifically, the Board proposed 
to revise Form 3 to require the reporting of significant cybersecurity 
incidents within five business days on a confidential basis. The Board 
proposed to define ``significant cybersecurity incidents'' as those 
that have significantly disrupted or degraded the firm's critical 
operations, or are reasonably likely to lead to such a disruption or 
degradation; or those that have led, or are reasonably likely to lead, 
to unauthorized access to the electronic information, communication, 
and computer systems (or similar systems) (``information systems'') and 
networks of interconnected information systems of the firm in a way 
that has resulted in, or is reasonably likely to result in, substantial 
harm to the audit firm or a third party, such as companies under audit 
or investors. The reporting period, as proposed, would have been 
measured from the time the firm determined the event to be significant.
General Comments
    Some commenters generally supported the cybersecurity disclosure 
initiative, emphasizing the impact of technology on audits and the 
Board's duties. One firm mentioned that reporting cybersecurity 
incidents and breaches is important to investors and cited the benefits 
of transparency in this area as auditors defend themselves against 
cyberattacks. Another commenter agreed that such cybersecurity 
disclosure would inform the PCAOB and other regulators of critical 
information regarding the potential for disruptions of audit firm 
operations that could not only impact the provision of audit services, 
but could also indicate potential compromises of individual or issuer 
information.
Comments on the Clarity and Scope of the Term ``Significant 
Cybersecurity Incident''
    On the other hand, several commenters expressed concern over the 
clarity and scope of the defined term ``significant cybersecurity 
incident.'' One firm commented that the Board should provide examples 
of what would fall under this term and another suggested that the 
proposed definition needs to be more specific. Commenters also 
suggested adopting the term ``material'' instead of ``significant'' as 
it is a term already broadly understood. A commenter also encouraged 
the Board to clarify how an incident is defined for reporting purposes 
and to clarify whether breaches as defined in the proposal include only 
direct breaches to the audit firm network or if breaches include any 
consequences of breaches to clients or service providers to the audit 
firm. One commenter also recommended incorporating a clear definition 
of what constitutes a related group of cybersecurity incidents. 
Commenters mentioned specific terms within the definition that they 
believe require more explanation, including ``disrupted,'' 
``degraded,'' ``critical operations,'' ``significant,'' and 
``substantial harm.''
    Further, several commenters asserted that the scope of this 
requirement should be limited to events that have affected a firm's 
issuer or broker-dealer audit practices. A commenter opposed language 
requiring the assessment of ``substantial harm'' to third parties and 
argued that this concept should be considered by the company and not 
the firm. Similarly, another commenter stated that any harm to an 
investor is likely derivative of the harm to the company itself and if 
the Board expects any non-derivative harm, the Board should identify 
such potential harms. Another commenter suggested that the Board use 
the term ``substantial impact'' instead. One commenter suggested 
keeping ``substantial harm'' but amending the rule text to target 
disruption or degradation to a firm's ``critical audit-related 
operations.''
    Some commenters asserted that any requirement in this area would 
exceed the PCAOB's statutory authority. One commenter questioned the 
PCAOB's authority or need to receive such information from registered 
firms, given the PCAOB's jurisdiction. Additionally, several commenters 
expressed disapproval over the ``reasonably likely'' reporting 
threshold and advocated for a threshold that requires reporting only 
upon confirmation of the significant cybersecurity incident. One 
commenter stated that the proposed reporting threshold requires 
significant speculation and could be second guessed in hindsight. 
Another similarly stated that the proposal leaves room for 
interpretation as to which incidents are ``reasonably likely to lead to 
disruption/degradation/unauthorized access/substantial harm.''
    After taking into consideration these comments, the Board has 
altered the proposed definition of ``significant cybersecurity 
incidents.'' Now, the Board defines this term as those cybersecurity 
incidents that have significantly disrupted or degraded the firm's 
operations critical to the functioning of the audit practice; or those 
that have led to unauthorized access to the electronic information, 
communication, and computer systems (or similar systems) (``information 
systems'') and networks of interconnected information systems of the 
firm in a way that has resulted in substantial harm to the audit firm's 
critical audit-related operations. This new definition removes the 
``reasonably likely'' threshold and only includes events that have 
impacted a firm's audit practice. The Board also elected to maintain 
the modifier ``significant'' instead of ``material,'' as recommended by 
some commenters, since the Board believes its defined term 
``significant cybersecurity incidents'' would invite less confusion 
than one that integrates a well-established concept like materiality. 
Further, the Board is still requiring a determination of substantial 
harm. The Board believes that other suggested alternatives, like 
``substantial

[[Page 96744]]

impact,'' are broader and turn the focus away from the negative impact 
that the Board's disclosure rule aims to capture. The Board also 
clarified in the new definition that the substantial harm should affect 
the audit firm's critical audit-related operations. While the Board 
maintains that this rulemaking falls within its statutory authority, 
such a change should assuage commenters' concerns around the degree of 
speculation involved in the proposed definition and the inclusion of 
harm to third parties.
    The new definition of ``significant cybersecurity incidents'' 
retains some terms that were cited by commenters as requiring further 
explanation. The Board considers the term ``critical operations'' to 
generally include activities and processes that if disrupted could 
prevent the firm from continuing to effectively provide audit-related 
services. Further, some commenters sought clarity around the phrase 
``significantly disrupt'' or ``significantly degrade.'' As an example, 
if a cyberattack cuts off access to a critical audit-related service, 
it would be deemed to have significantly disrupted or degraded the 
entity's operations critical to the functioning of the audit practice. 
In a similar vein, an example of ``substantial harm'' would include the 
loss of a firm's data caused by malware.
Comments on the Reporting Timeframe
    Some commenters disagreed with the required reporting timeframe and 
believe five business days is too short given the practical obstacles 
of this reporting. One commenter stated that requiring reporting to the 
PCAOB within five business days adds to the regulatory burden and that 
the benefits of such a timeline need to be further demonstrated. 
Another cited the need for a longer reporting timeframe for smaller 
firms with fewer resources. A commenter also expressed concern over the 
ability to assess the ramifications of a breach and provide meaningful 
disclosures in this timeframe. One commenter stated that where 
incidents need to be reported, a yearly or quarterly report or, at 
minimum, 90 days after a confirmed significant cybersecurity incident 
has actually occurred, would be more suitable timeframes. Another 
suggested that the PCAOB consider taking a tiered approach to the 
requirement to report within five days, reflecting the difference 
between registered firms issuing audit reports and those which do not. 
However, to the contrary, a commenter also noted that the proposed 
reporting period within five business days may be sufficient and timely 
and aligns with the SEC Cyber Release. Commenters also suggested that 
the Board incorporate a process for supplementing any report with 
information as it becomes available, in an effort to mitigate the 
effects of any speculative or unconfirmed information supplied in the 
first round of disclosure.
    Having considered these comments, the Board has decided to maintain 
the five business-day disclosure timeframe. Given the Board's 
expectations of the content of the reporting, this timeline is 
sufficient for firms to make determinations regarding the incident's 
significant high-level effects. The Board does not intend for firms to 
produce a detailed analysis of the incident that would go beyond a 
summary that satisfactorily addresses the criteria of this requirement. 
In the proposal, the Board stated that it would require firms to report 
``the effect of the incident on the firm's operations.'' Instead, the 
Board now requires firms to report ``the determined effects of the 
incident on the firm's operations.'' Such a change should alleviate the 
need to provide definitive conclusions regarding the incident's effects 
and allow for estimates to be reported, with the option for future 
regulatory follow-up. The Board believes that the adjustments to the 
requirement will mitigate the cost burdens associated with this 
reporting for both small and large firms. Firms also have the option of 
following up with the PCAOB should they discover more information about 
the breach after the five-business-day period.\116\
---------------------------------------------------------------------------

    \116\ Further, the SEC's Cybersecurity Risk Management, 
Strategy, Governance, and Incident Disclosure final rule, effective 
from September 5, 2023, imposes a 4-day reporting period on public 
disclosure of certain cybersecurity incidents. Many of the 
parameters of the SEC's reporting overlap with the Board's proposed 
confidential reporting.
---------------------------------------------------------------------------

Comments on the Clarity on Other Terms
    Some commenters also sought further clarity regarding the 
information to be reported, stating that expectations as to what 
information should be included in the reporting should be written into 
the text of the rule and not limited to commentary in the adopting 
release. Another commenter requested that the instructions to Form 3 
should include information that the PCAOB would expect to be reported 
regarding cybersecurity incidents. One firm recommended that the Board 
clarify the term ``sufficient information'' in its reporting 
requirement and provide illustrative disclosures to assist firms in 
determining what disclosures are expected. One commenter stated that 
the proposal does not provide clarity as to whether the required notice 
must include reference to or details about the company's response 
capabilities, including its cyber defenses and response techniques and 
if construed broadly, the proposal could require reports that might 
effectively ``roadmap'' a firm's vulnerabilities and response strategy 
to attackers. Commenters also recommended that the Board make clear 
that reporting firms can provide estimates as part of its disclosure. 
One commenter requested clarity regarding the actions the Board may 
take in connection with any reported cybersecurity incidents, including 
the proposed regulatory follow-up.
    Given the above comments, the Board would expect such confidential 
reports to include sufficient information for the PCAOB to understand 
the nature of the incident and whether regulatory follow-up is 
warranted, including a brief description of the nature and scope of the 
incident; when it was discovered and whether it is ongoing; whether any 
data was stolen, altered, accessed, or used for any unauthorized 
purpose; the determined effects of the incident on the firm's 
operations; whether the firm has remediated or is currently remediating 
the incident; and whether the firm has reported the incident to other 
authorities. The term ``sufficient information'' is clarified above by 
detailing the level of information the Board expects in the disclosure. 
In response to whether or not the Board requires information regarding 
response capabilities and the vulnerabilities that may arise from this, 
the Board has only required information that indicates whether or not 
the firm is remediating the incident and regardless of the level of 
detail provided, this information will remain confidential. Further, as 
stated above, firms may provide estimates, as needed, to satisfy this 
disclosure requirement and thereafter update the PCAOB as information 
becomes clearer if appropriate. Such estimates may be later clarified 
via regulatory-follow-up. Such follow-up will be based on the facts and 
circumstances of the particular disclosure and will be performed on an 
informal basis with PCAOB staff. Last, the Board has amended Form 3, 
but not the rule text, to include a short description of the 
information the Board expects to be reported. The Board believes that 
amending the form sufficiently addresses the expressed need for clarity 
regarding the information to be reported.

[[Page 96745]]

Comments on Confidentiality and Conflicts
    Commenters also commented on the confidentiality of cybersecurity 
incident reporting. Some commenters requested that the Board clarify 
that the checkbox on Form 3 is confidential since making this 
information public would undermine the confidentiality of the reports 
and likely confuse readers who would not be provided any information on 
such breaches. Commenters also opposed any requirement to make public 
any cybersecurity incident details, citing security concerns and 
pointing to the fact that firms are already required to make certain 
disclosures and reporting if there is a data breach. One commenter 
stated that firms should not be required to disclose information to the 
PCAOB confidentially or otherwise that exceeds applicable federal and 
state laws, rules and regulations. The Board recognizes the critical 
importance of confidential reporting of cybersecurity incidents, both 
to the reporting firms and to the oversight function of the PCAOB, as 
explained in the proposal. The Board clarifies that the checkbox on 
Form 3 will remain confidential as well as the reported information.
    Further, commenters addressed potential conflicts with other 
obligations of audit firms that such a disclosure rule could create. A 
commenter stated that there is potential for this disclosure rule to 
divert resources away from the primary objectives of responding and 
recovering from a cyber incident. Another stated that this reporting 
regime could lead to significant confusion among security professionals 
regarding the circumstances in which a reporting requirement is 
triggered as they have other cybersecurity reporting requirements to 
follow. A commenter also highlighted guidance published by the Federal 
Bureau of Investigation which included a request for disclosure delays 
for national security or public safety reasons. This commenter urged 
the PCAOB to explain whether and how this process, or one like it, also 
should apply in the context of registered firms, and whether and how 
the Board's proposal may conflict with those other requirements and 
guidance. Also, one commenter compared the proposal with the related 
SEC Cyber release and noted that the Board's expectation that a firm 
include whether it has reported an incident to other authorities is not 
in the SEC Cyber Release and this could have unintended consequences. 
This commenter recommended that the PCAOB's reporting requirements 
remain consistent with the final SEC cyber release when ``providing a 
brief description of the event.'' Lastly, one commenter expressed 
concern that cybersecurity professionals will become confused by the 
growing number of different and inconsistent cybersecurity reporting 
regulations and frameworks.
    After considering the comments above, the Board does not believe 
there are any known direct conflicts with other current obligations of 
audit firms, but, in an effort to avoid unintended consequences, the 
Board has eliminated the requirement for a firm to include whether it 
has reported an incident to other authorities. The Board will continue 
to monitor the different disclosure regimes that impact audit firms and 
the interaction of these final amendments with them. With respect to 
the concern that the disclosure rule may divert resources away from the 
objectives of responding and resolving an incident, the Board believes 
that the disclosure requirements are not onerous and primarily require 
general, high-level information regarding the incident. As a general 
matter, to the extent firms have other cyber reporting obligations, 
they should already be monitoring for these types of events. Further, 
any security concerns should be assuaged by the fact that the 
disclosure is confidential to the PCAOB.
    Regarding the timing of the Board's consideration of the final 
amendments, one commenter recommended that the Board delay any 
finalization of its own cybersecurity incident reporting requirements 
at least until proposed rules under the Cyber Incident Reporting for 
Critical Infrastructure Act (``CIRCIA'') are adopted. The Board does 
not anticipate that the proposed CIRCIA rules will conflict with its 
reporting requirements and the Board will continue with the established 
timeline.
    For clarity, the cybersecurity incident reporting requirement in 
the final amendments is as follows. The Board has revised Form 3 to 
require the reporting of significant cybersecurity incidents within 
five business days on a confidential basis. The Board defines 
``significant cybersecurity incidents'' as those that have 
significantly disrupted or degraded the firm's operations critical to 
the functioning of the audit practice; or those that have led to 
unauthorized access to the electronic information, communication, and 
computer systems (or similar systems) (``information systems'') and 
networks of interconnected information systems of the firm in a way 
that has resulted in substantial harm to the audit firm. The reporting 
period would be measured from the time the firm determined the event to 
be significant.
    The Board expects such confidential reports to include sufficient 
information for the PCAOB to understand the nature of the incident and 
whether regulatory follow-up is warranted, including a brief 
description of the nature and scope of the incident; when it was 
discovered and whether it is ongoing; whether any data was stolen, 
altered, accessed, or used for any unauthorized purpose; the determined 
effects of the incident on the firm's operations; and whether the firm 
has remediated or is currently remediating the incident.
2. Cybersecurity Policies and Procedures
    In the Board's proposal, the Board mentioned that in addition to 
cybersecurity incident reporting, it believed that investors, audit 
committees, other stakeholders, and the PCAOB would benefit from 
information regarding a firm's policies and procedures related to 
cybersecurity risks. Such information would allow all parties to 
understand and assess a firm's vulnerability to cybersecurity incidents 
that may ultimately: (1) expose issuer data to third parties and/or bad 
actors, and/or (2) impact audit firm operations or audit quality. 
Accordingly, the Board proposed to revise the Annual Report Form to 
request a brief description of the audit firm's policies and 
procedures, if any, to identify, assess, and manage material risks from 
cybersecurity threats. The proposed item would instruct the audit firm 
to include: (i) whether and how any such policies and procedures have 
been integrated into the registrant's overall risk management system or 
processes; (ii) whether the firm engages assessors, consultants, 
auditors, or other third parties in relation to cybersecurity risks; 
and (iii) whether the firm has policies and procedures to oversee and 
identify such risks from cybersecurity threats associated with its use 
of any third-party service provider. The proposed requirement was not 
intended to elicit detailed, sensitive information but rather to inform 
the PCAOB, investors, audit committees, and other stakeholders of the 
firm's general policies and procedures, if any, to identify and manage 
cybersecurity risks. Several commenters supported the proposed revision 
to Form 2 requiring a ``Statement on Policies and Procedures to 
Identify and Manage Cybersecurity Risks.'' One commenter agreed with 
the proposal's discussion of the importance of such disclosure and 
believed that the Board's proposed brief disclosure requirements were 
reasonable. One

[[Page 96746]]

commenter recommended that the form be expanded to include artificial 
intelligence risks as well.
    Some commenters believed that this reporting rule reaches outside 
the bounds of the PCAOB's jurisdiction. One commenter suggested that 
the PCAOB drew an inaccurate comparison in the proposal between a 
registrant's disclosures to shareholders and other investors with a 
firm's disclosures to the PCAOB. Another stated that the proposed 
requirement is unclear and that disclosure of how firms manage 
cybersecurity risks may provide data points to cyber-criminals to 
assist them in breaching a firm's defenses. A commenter, in contrast, 
recommended that the Board broaden the proposed disclosure 
cybersecurity requirement to include technology-related risks like 
those related to artificial intelligence. Some commenters were 
concerned with the usefulness of this information to stakeholders. One 
in particular suggested that the Board clarify how high-level or 
specific the firm policies and procedures would be meaningful to 
investors, as well as to reassess which reported information would be 
available to the public. Another stated that further guidance is needed 
regarding this requirement especially with respect to smaller firms. 
That same commenter also does not support the requirement to report 
``whether the firm engages assessors, consultants, auditors, or other 
third parties in relation to cybersecurity risks'' as they believe it 
is overly broad, its value is unknown, and it could provide a signal to 
hackers regarding the firm's cybersecurity defenses. One commenter 
recommended expanded outreach to determine whether the proposed 
disclosures provide decision-useful information and how such 
information would be used.
    After consideration of the comments above, the Board believes that 
the parameters of the disclosure of cybersecurity policies and 
procedures should remain as proposed. As an initial matter, the rule is 
clear that firms should provide only a brief description and therefore 
the rule does not require specific enough information to create a 
security risk. Because the information requested is general in nature, 
firms can exercise a degree of judgment when it comes to the level of 
detail disclosed as part of their policies and procedures. Disclosure 
items like ``whether the firm engages assessors, consultants, auditors, 
or other third parties in relation to cybersecurity risks'' do not 
imply a disclosure of the identities of any parties that could 
potentially create a security risk. Further, while expanding the 
requirement to include a discussion of technology-related risks like 
artificial intelligence would have potential benefits for investors and 
audit committees, the Board believes that it is outside the bounds of 
its initial proposal and may require more detailed disclosure than the 
requirement contemplates, which may in turn create security risks. With 
respect to commenter concerns on the usefulness to stakeholders, the 
Board believes that the disclosures would provide investors and audit 
committees with additional information to understand efforts taken to 
protect an issuer's confidential data. Disclosing such information may 
also encourage firms to establish or improve their own cybersecurity 
policies and procedures as stakeholders assess a firm's vulnerabilities 
to cyberattacks that could impact its ability to deliver quality audit 
services.
    Further, in response to commenters questioning the PCAOB's 
jurisdiction and as explained in the above section addressing 
authority, such disclosure is designed to elicit information about an 
operational aspect of the firm that has significant implications for 
the audit practice and, ultimately, to improve audit quality. Thus, it 
aligns with the overarching objectives of Sarbanes-Oxley and the 
PCAOB's authority under Section 102 of that Act. See a further 
discussion of the Board's authority to adopt the final amendments in a 
section above.
Updated Description of QC Policies and Procedures
    In addition to the above revised periodic and special reporting 
framework, the Board proposed a reporting-related requirement that 
evolved out of QC 1000.
    Any public accounting firm applying to the Board for registration 
pursuant to Rule 2100, Registration Requirements for Public Accounting 
Firms, must file an application for registration on Form 1. Form 1 
requires that an applicant furnish, as an exhibit, a narrative, summary 
description, in a clear, concise and understandable format, of the 
quality control policies of the applicant for its accounting and 
auditing practices (``Statement of Applicant's Quality Control Policies 
and Procedures'').
    In May 2024, the Board adopted, and in September 2024, the 
Commission approved, a new QC standard, QC 1000, and other amendments 
to PCAOB standards, rules, and forms. That included an amendment to 
Form 1 that would require applications for registration after the 
effective date of QC 1000 to also indicate whether the firm has 
designed a QC system in accordance with QC 1000. However, the new 
standard and the related amendments do not include any mechanism for 
firms that registered with the Board prior to the effective date of QC 
1000 (December 15, 2025) to provide an updated statement regarding 
their quality control policies pursuant to QC 1000.
    The Board proposed to create a new form, Update to the Statement of 
Applicant's Quality Control Policies and Procedures (Form QCPP), to 
require that any firm that registered with the Board prior to the date 
that QC 1000 becomes effective must submit an updated statement of the 
firm's quality control policies and procedures pursuant to QC 1000. The 
Board believes it is important that firms update the statement 
regarding their quality control policies and procedures, originally 
made in connection with their registration application, to reflect the 
changes to their policies and procedures made in response to the new 
quality control standard. This is consistent with Sarbanes-Oxley 
Section 102(d), which permits the Board to require reporting ``to 
update the information contained in [a firm's] application for 
registration.'' It would increase transparency to investors and audit 
committees, who could then evaluate whether and how firms are 
addressing QC 1000.
    Several commenters agreed with the Board's proposed disclosure of 
updates to a firm's quality control policies and procedures, citing the 
benefits of investor transparency. On the other hand, some commenters 
questioned the form's usefulness to stakeholders. One stated that such 
a requirement could potentially lead to redundancies with the 
requirements of QC 1000 and cause confusion among stakeholders. Another 
commented that the PCAOB does not specify how PCAOB staff would 
evaluate and what they would do with this information, and does not 
explain the value of reporting by inactive firms that are not 
performing any public company audits and would not have audit 
committees or investors that would use that information. Similarly, 
several commenters opposed the application of Form QCPP to registered 
firms that are not currently providing audit services to issuers or 
broker-dealers. One suggested that the Board should consider requiring 
inactive firms to file Form QCPP only upon taking on an audit of an 
issuer or broker-dealer and that such an approach would be analogous to 
the SEC's requirements for newly registered companies, in which 
companies become IPO-ready but do not file registration statements 
until they access the capital markets.
    The Board does not believe that the institution of Form QCPP would 
create

[[Page 96747]]

any confusion for stakeholders, but rather believes that it would 
provide clarity on a firm's quality control system and assurance that a 
firm adheres to the Board's new QC standard. The PCAOB has not 
specified the expected internal use of this data, as its primary 
purpose is to benefit stakeholders and enhance their access to current 
information regarding a firm's quality control system. Notwithstanding 
commenters' concerns over the burden on inactive firms, the Board has 
decided to adopt the requirement for all registered firms in alignment 
with QC 1000. QC 1000 extends to all registered firms. A disjunction 
between the scope of the QCPP update requirement and the scope of QC 
1000 would create a potentially confusing circumstance in which some 
firms subject to QC 1000 provide updated public information regarding 
their QC systems and some do not. Given the one-time nature of the 
reporting requirement and that the requirement is to summarize matters 
that firms are required to document under QC 1000, the Board thinks the 
burden is minimal and that stakeholders will benefit from updated 
information regarding a firm's quality control system in light of QC 
1000.
    Some firms had concerns regarding the clarity of proposed Form 
QCPP. One stated that if Form QCPP is retained, additional clarity is 
needed regarding the expectations surrounding the disclosure of the 
firm's quality control policies and procedures under QC 1000, including 
whether identification of quality objectives and risks is necessary. 
This same commenter questioned if the Board's disclosure rule requires 
a firm to test and make a determination as to whether it has designed a 
quality control system in compliance with QC 1000 before Form QCPP is 
filed. Another stated that it is unclear whether the Board has ongoing 
expectations or intentions related to updating Form QCPP and if 
additional submissions would be required, suggesting that any future 
submissions of Form QCPP would be unnecessary. One commenter was 
concerned that a ``simple statement,'' rather than a more detailed 
explanation, in the Form QCPP would suffice and thus negate the 
usefulness of having such a disclosure requirement.
    The Board believes that the proposed instructions to Form QCPP 
provide sufficient detail to guide a firm's compliant disclosure. The 
Board stated that ``The Firm should not provide the Board with its 
entire internal quality control manual in response to this item, but 
should prepare a brief document that addresses its quality control 
policies and procedures as they relate to QC 1000. Specifically, the 
description should provide an overview of the Firm's policies with 
respect to roles and responsibilities; the firm's risk assessment 
process; governance and leadership; ethics and independence; acceptance 
and continuance of engagements; engagement performance; resources; 
information and communication; the monitoring and remediation process; 
evaluating and reporting on the QC system; and documentation.'' Such 
instructions indicate that while a ``simple statement'' would likely 
not be sufficient, a firm need not provide overly extensive detail 
either.
    In response to a commenter's request for more clarity, the Board 
also notes the following: (1) Form QCPP is intended to serve as an 
update to information that firms provided with their registration 
application; (2) the instructions and guidance that the Board has 
provided mirror Form 1 and Registration FAQ 32 (issued December 4, 
2017); \117\ and (3) the Board has not observed any significant 
confusion about the appropriate level of detail to be provided when the 
Board has processed registration applications for the last 20 years. 
Further, in response to a commenter questioning if the Board intended 
for firms to disclose quality objectives and quality risks, Form QCPP 
need not identify quality objectives and quality risks as these items 
are not classified as ``policies and procedures.'' Firms also need not 
perform any test or reach any conclusion about their compliance with QC 
1000 in submitting Form QCPP.
---------------------------------------------------------------------------

    \117\ See PCAOB Rel. No. 2003-011F at 12.
---------------------------------------------------------------------------

    One commenter also suggested that the PCAOB not introduce a new 
form but rather enhance Form 2 to provide the relevant information 
annually so that the Board could obtain updates annually on that form 
together with all of the other information required on Form 2. The 
Board currently does not have the expectation that updating this form 
would be an ongoing requirement, but rather just a one-time public 
update to stakeholders. In that vein, the Board has not integrated this 
disclosure requirement with an existing form (e.g., Form 2) because the 
Board does not expect firms to make a recurring public disclosure about 
their quality control policies and procedures. Moreover, this 
requirement is not meant to create additional obligations, apart from 
the one-time reporting obligation itself, with respect to a firm's 
quality control system (i.e., there is no additional testing required). 
This rule also becomes effective after QC 1000 becomes effective, and 
thus, registered firms should already be compliant with QC 1000 by the 
time they must comply with this reporting obligation.
    Lastly, one commenter was concerned about the lack of 
confidentiality. This commenter suggested including confidentiality 
considerations in the instructions to the form or clarifying that there 
is an option for a confidential treatment request. The Board does not 
believe that any of the information elicited in Form QCPP's 
instructions would necessitate confidentiality or the allowance of a 
confidential treatment request. None of the information would require 
disclosure of proprietary information and, based on the Board's 
experience in this area (and the fact that no commenter identified any 
law), no other law shields the information from disclosure. Because the 
information requested in Form QCPP consists of a summary or overview of 
policies and procedures, the Board believes that it should not be 
reflective of any proprietary information. The high-level nature of 
this disclosure requirement adheres to confidentiality principles and 
supports its designated public format. Also, in contrast to an internal 
audit manual, this disclosure should only consist of an overview of 
policies and procedures. No commenter identified any confidentiality 
law (beyond Section 102(e) of Sarbanes-Oxley) that would shield this 
information from disclosure. Moreover, confidential treatment would be 
at odds with the fundamental purpose of this requirement, which is to 
provide updated information to the public regarding a firm's quality 
control system in light of QC 1000.
Effective Date
    For the enhanced periodic reporting requirements discussed above, 
the Board proposed phased implementation to give smaller firms more 
time to develop and implement the necessary tools. For the first phase, 
the Board considered making the requirements effective as of March 31, 
2026, or one year after approval of the requirements by the SEC, 
whichever occurs later. The first phase would apply to the largest 
firms as defined in proposed Rule 2208 (being adopted as Rule 4013). 
The second phase, which would begin one year after the first phase, 
would cover the remaining firms subject to reporting requirements.
    For the special reporting and cybersecurity incident reporting 
requirements, the Board considered making the requirements effective as 
of 90 days after approval of the requirements by the SEC for all firms

[[Page 96748]]

because these requirements are not periodic in nature and the events 
would be reported infrequently and/or have urgent importance.
    For the financial statement requirements discussed above, the Board 
proposed to make the interim requirements effective March 31, 2026, or 
one year after approval of the requirements by the SEC, whichever 
occurs later. The final requirement for compliance with the applicable 
financial reporting framework would have been effective March 31, 2028 
or three years after approval by the SEC, whichever is later.
    For the disclosure required in Form QCPP, the Board considered 
aligning the effective date for Form QCPP with the effective date for 
QC 1000.
    Some commenters requested additional time beyond the proposed 
effective date, with some citing the time needed to conform their 
systems to the new requirements and others citing new concurrent PCAOB 
or industry standards. A commenter urged us to wait until QC 1000 has 
been adopted by firms, and a post-implementation review of the standard 
has been performed before proposing any additional disclosures by 
firms. Another firm suggested a pilot reporting period in test 
environment prior to the final effective date to ensure a smooth 
transition.
    The Board has provided additional time before the effective date 
for each requirement. For the enhanced periodic reporting requirements, 
and for the enhanced special reporting requirements, the Board has 
adopted phased implementation to give smaller firms more time to 
develop and implement the necessary tools. For the first phase, the 
final amendments, if approved by the SEC, will become effective as of 
March 31, 2027, or two years after approval of the requirements by the 
SEC, whichever occurs later. The first phase applies to the largest 
firms as defined in new rule 4013. For the second phase, the final 
amendments will become effective one year after the first becomes 
effective. The second phase will apply to the remaining firms subject 
to reporting requirements.
    For the Form QCPP requirement, the Board has, as proposed, aligned 
the effective date for Form QCPP with the effective date for QC 1000. 
Thus, the final amendments will become effective December 15, 2025. 
However, in a change from the proposal, the Board has provided that 
Form QCPP be submitted no later than 30 days after December 15, 2025 
(by January 14, 2026).
    Except for the Form QCPP requirement which aligns with the QC 1000 
effective date, the Board notes that the effective dates post-date the 
QC 1000 effective date. The Board has not, however, delayed the 
effective date of the final amendments until after a post-
implementation review of QC 1000, as some commenters requested, as the 
Board believes that would represent an excessive delay and these 
amendments (apart from Form QCPP) intersect with QC 1000 only in minor 
respects.
    As some commenters requested that the Board create a test 
environment before making these requirements effective, the Board may 
consider a test environment for new confidential reporting in the 
future; a test environment need not be addressed via the rulemaking 
process.

D. Economic Considerations and Application to Audits of Emerging Growth 
Companies

    The Board is mindful of the economic impacts of its rulemakings. 
This economic analysis describes the economic baseline, need, and 
expected economic impacts of the final rule, as well as alternative 
approaches considered. Due to data limitations, much of the economic 
analysis is qualitative in nature; however, where reasonable and 
feasible, the economic analysis incorporates quantitative information, 
including on the number of PCAOB-registered public accounting firms and 
the number of Form 2 and Form 3 filings. The analysis also incorporates 
information from academic literature.
    The Board sought and received comments on the economic analysis in 
the proposal.\118\ To the extent that commenters expressed views 
related to the economic analysis, many commenters generally 
acknowledged the importance of audit firm reporting and transparency to 
support decision-making by stakeholders. Several commenters questioned 
the need for the Firm Reporting requirements. Some commenters affirmed 
benefits described in the proposal, while some commenters questioned 
the benefits associated with certain reporting requirements, such as 
certain governance and network disclosures. In addition, several 
commenters expressed doubt regarding a direct linkage between audit 
quality and certain reporting requirements, such as certain details of 
audit fees and governance characteristics. Some commenters expressed 
concerns about costs associated with some reporting requirements, such 
as detailed audit fees for foreign firms and additional specified 
events for special reporting. Several commenters suggested that the 
economic analysis should more explicitly consider costs that could 
disproportionately impact smaller firms, foreign firms, and smaller 
companies. Some commenters described potential unintended consequences, 
including market exit and diversion of resources, while some commenters 
suggested alternatives to the reporting requirements, such as scaling 
the reporting requirements and limiting collection of data to the 
inspection process. A few commenters offered a quantitative perspective 
regarding impacts, and several commenters referenced additional 
academic research for the Board's consideration. The Board has 
considered all of the comments, including the quantitative perspectives 
and academic research the commenters referenced, and has developed the 
following economic analysis that evaluates the expected benefits and 
costs of the final requirements, discusses potential unintended 
consequences, and provides comparisons to alternative actions 
considered.
---------------------------------------------------------------------------

    \118\ See Firm Reporting, PCAOB Rel. No. 2024-003 (Apr. 9, 
2024).
---------------------------------------------------------------------------

Baseline
    This section discusses the economic baseline against which the 
economic impacts of the final rule can be considered. The Background 
and Key Considerations section above describes important components of 
the baseline, including an overview of existing reporting requirements 
on PCAOB Form 2 and Form 3.
    Limited information is currently available on Form 2 and Form 3 for 
the areas of the final reporting requirements, and the baseline applies 
to the collective reporting requirements. Form 2 currently contains two 
items that are related to the reporting requirements in the final rule 
but do not require the particular information specified under the final 
rule. First, Item 3.2 of Form 2 currently collects fees billed to 
issuer audit clients--separately for audit services, other accounting 
services, tax services, and non-audit services--as a percentage of 
total fees billed by a firm to all clients for services that were 
rendered in the reporting period. Item 3.2 does not currently require 
firms to report actual fee amounts on Form 2--i.e., the numerator and 
denominator of the percentage calculations. In addition, Item 3.2 does 
not currently require firms to report fees billed to broker-dealer 
audit clients during the reporting period. Second, Item 5.2 of Form 2 
currently asks firms to state whether the firm has any: (i) membership 
or affiliation with any

[[Page 96749]]

network that licenses or authorizes audit procedures or manuals or 
related materials, or the use of a name in connection with the 
provision of audit services or accounting services, (ii) membership or 
affiliation with any network that markets or sells audit services or 
through which joint audits are conducted, or (iii) arrangement with 
another entity through or from which the firm employs or leases 
personnel to perform audit services. In addition, Item 5.2 currently 
collects the names, addresses, and a brief description of the 
relationship the firm has with each entity. Item 5.2 does not currently 
specify that the description should discuss the network structure and 
the relationship of the registered firm to the network--including 
whether the registered firm has access to resources such as firm 
methodologies and training, whether the firm shares information with 
the network regarding its audits, whether the firm is subject to 
inspection by the network, and other information the firm considers 
relevant to understanding how the network relationship relates to its 
conduct of audits.
    The current reporting requirements on Form 2 and Form 3, together 
with uses of the information collected, firms' filing practices, and 
other sources of audit firm information, form the baseline from which 
the Board assesses the economic impacts of the final reporting 
requirements. The Board discusses below: (i) PCAOB uses of Form 2 and 
Form 3, including firms' filing practices; (ii) investor and audit 
committee potential uses of Form 2 and Form 3; and (iii) other sources 
of audit firm information.
1. PCAOB Uses of Form 2 and Form 3
    Pursuant to the Sarbanes-Oxley Act, Form 2 and Form 3 are used by 
the Board to exercise its statutory oversight function and provide 
decision-useful information to the public. Form 2 collects basic 
information once a year about the firm and the firm's audit practice 
over a 12-month reporting period. Form 2 is required to be filed 
annually by all PCAOB-registered firms. Form 3 collects information 
upon the occurrence of specified events, such as when a firm resigns or 
is dismissed from an audit engagement in certain circumstances or when 
a firm has become aware that it has become a defendant in a criminal 
proceeding. The contents of Form 2 and Form 3 for each firm are 
generally made publicly available on the PCAOB website, with some 
exceptions if the firm requests and is granted confidential treatment.
    The Board uses information reported on Form 2 and Form 3 to: (i) 
keep firms' basic records current; (ii) plan and inform the Board's 
statutory oversight function; and (iii) monitor specified events that 
could merit follow-up. The number of PCAOB-registered firms as of 
December 31, 2023, was 1,599, most of which were subject to Form 2 and 
Form 3 reporting requirements \119\ in the 2023 filing year and will be 
subject to the reporting requirements in the absence of any 
withdrawals. Figure 1 and Figure 2 below present the counts of 
registered firms and the counts of Form 2 and Form 3 filings the 
registered firms utilized to communicate annual information and 
specified events, respectively, to the Board based on current reporting 
requirements. The counts in Figure 1 and Figure 2 provide a reference 
point for the number of firms that will be expected to comply with the 
additional reporting requirements of the final rule.
---------------------------------------------------------------------------

    \119\ Form 2 and Form 3 filings are suspended while a registered 
firm has a Form 1-WD pending. See PCAOB Rule 2107(c)(2), Withdrawal 
from Registration. In addition, Form 2 is not required by a 
registered firm that has an application for registration approved by 
the Board in the period between and including April 1 and June 30 of 
the filing year. See PCAOB Rule 2201, Time for Filing of Annual 
Report.
---------------------------------------------------------------------------

i. Form 2
    Form 2 reporting provides a profile of a firm at a point in time, 
based on the firm's activity related to audits of issuers and broker-
dealers over the most recent 12-month reporting period. For example, 
information reported on Form 2 Part V (Offices and Affiliations) is 
used by PCAOB staff for inspection planning. Information reported on 
Form 2 also keeps current the Board's records about basic matters, such 
as the firm's name, location, and contact information, which informs 
other Board oversight activities. For example, primary contact 
information reported on Form 2 Part I (Identity of the Firm and Contact 
Persons) is used by PCAOB staff to identify the firm-designated contact 
person to whom document requests for investigations should be sent.
    PCAOB supports either extensible markup language (``XML'') or an 
internet-based form for firms to file Form 2. For the XML option, PCAOB 
makes available a schema, and firms develop their own computer program 
consistent with the schema to then generate the filing. Some large 
firms share the same program within their network to manage the cost of 
developing a program. The XML filing option for Form 2 generally 
facilitates filing for firms with large numbers of audits due to the 
standardized nature of data collected for each audit on Form 2. One 
commenter suggested that firms' current reporting practices were not 
clear in the proposal. However, the proposal explained that 
approximately twelve of the largest firms currently file Form 2 via 
XML, which covers the vast majority of issuer engagements based on 
market capitalization. All other firms file Form 2 via the PCAOB Web-
based form.
    Figure 1 provides for the 2023 filing year counts of PCAOB-
registered firms that filed a Form 2 and counts of firms that signed an 
issuer or a broker-dealer audit opinion. For the 2023 filing year, the 
number of registered firms that filed Form 2 was 1,419 and the number 
of firms that did not file was 180. The number of registered firms that 
filed a Form 2 and signed an opinion in the 2023 filing year was 570. 
Firms are subject to Form 2 reporting requirements whether or not they 
sign an audit opinion.
---------------------------------------------------------------------------

    \120\ Counts include: (i) registered firms with status 
``Currently Registered'' (1,568), ``Suspended'' (1), ``Suspended; 
Withdrawal Pending'' (0), and ``Withdrawal Pending'' (30) and (ii) 
firms exempted from Form 2 filing under PCAOB Rule 2201 because they 
had an application for registration approved by the Board in the 
period between and including April 1 and June 30 of the 2023 filing 
year. Opinion categories are based on data from Audit Analytics 
(including Feed 6, Feed 34, and Feed 27) for firms that filed Form 
2. The ``substantial role only'' line items are based on data from 
Form 2 and indicate the number of firms that played a substantial 
role only for the opinion categories in which the primary auditor 
signed an opinion or no opinion was signed. For more discussion of 
firms' registration status and firms that do not file Form 2, see 
Proposals Regarding False or Misleading Statements Concerning PCAOB 
Registration and Oversight and Constructive Requests to Withdraw 
from Registration, PCAOB Rel. No. 2024-001 (Feb. 27, 2024).

  Figure 1--Counts of PCAOB-Registered Firms for the 2023 Form 2 Filing
                               Year \120\
------------------------------------------------------------------------
                                                        As of 12/31/2023
------------------------------------------------------------------------
Number of registered firms...........................              1,599
    Filed Form 2.....................................              1,419

[[Page 96750]]

 
    Did not file Form 2..............................                180
Types of opinions for firms that filed Form 2:
    Signed issuer opinions only......................                321
    Substantial role only............................                  5
    Signed broker-dealer opinions only...............                128
    Substantial role only............................                  3
    Signed issuer and broker-dealer opinions.........                121
    Substantial role only............................                  2
    Signed no opinions...............................                849
    Substantial role only............................                 74
------------------------------------------------------------------------

ii. Form 3
    Form 3 reporting alerts the Board to the occurrence of specified 
events, such as disciplinary proceedings or withdrawal of an audit 
report in certain circumstances, that may have more immediate bearing 
on how the Board carries out its statutory oversight function. In 
addition, information reported on Form 3 is used by PCAOB staff to 
assess whether the information indicates a potential violation of 
applicable standards or rules. Special reporting enables the PCAOB to 
consider whether prompt action is warranted by the Board's inspection 
process or enforcement process. Under the extant rules, firms currently 
have 30 days after a reportable event to file Form 3.\121\ PCAOB staff 
analysis indicates that during the period 2018-2022, firms filed Form 3 
in less than 15 days after a reportable event for 12.1 percent of 
specified events reported.\122\ PCAOB supports either XML or a Web-
based form for firms to file Form 3. One commenter suggested that 
firms' current reporting practices were not clear in the proposal, but 
the proposal explained that based on the unique nature of each Form 3 
filing, no firms have chosen to file Form 3 via XML.
---------------------------------------------------------------------------

    \121\ See PCAOB Rel. No. 2008-004.
    \122\ The following reportable events were included in the staff 
analysis: Item 3.1 (Withdrawn Issuer Audit Reports and Consents); 
Item 3.2 (Issuer Auditor Changes); Item 4.1 (Criminal, Governmental, 
Administrative, or Disciplinary Proceedings); Item 4.2 (Concluded 
Criminal, Governmental, Administrative, or Disciplinary 
Proceedings); Item 5.1 (New Relationship with Person Subject to Bar 
or Suspension).
---------------------------------------------------------------------------

    Figure 2 provides counts of firms that filed at least one Form 3, 
counts of Form 3 filed, and counts of the reasons for which Form 3 was 
filed. For the 2023 filing year, the number of firms that filed Form 3 
was 299 and the number of forms filed was 563. The Board does not have 
information on the number of firms that failed to file Form 3 or the 
number of Form 3 that firms failed to file. The top three reasons firms 
filed Form 3 are: (i) the firm became aware of changes related to 
certain legal proceedings; (ii) there was a change in the firm's legal 
name or in the business contact information of the firm's primary 
contact with the Board; and (iii) the firm experienced a change in 
license or certification to engage in the business of auditing or 
accounting in a certain jurisdiction.

  Figure 2--Counts of PCAOB-Registered Firms for the 2023 Form 3 Filing
                               Year \123\
------------------------------------------------------------------------
                                                        As of 12/31/2023
------------------------------------------------------------------------
Number of registered firms...........................              1,599
Number of firms that filed at least one Form 3.......                299
Number of Form 3 filed...............................                563
Number of reasons for filing Form 3..................                739
    Changes in certain legal proceedings.............                332
    Changes in the firm's name or contact person.....                191
    Changes in licenses and certifications...........                127
    Amendments to previously-filed Form 3............                 55
    Withdrawal of an audit report, resignation or                     30
     dismissal or a firm, or issuance of audit
     reports with respect to more than 100 issuers...
    Changes in certain relationships (i.e., new                        4
     relationship with person subject to bar or
     suspension, new ownership interest by firm
     subject to bar or suspension, or certain
     arrangements to receive consulting or other
     professional services)..........................
------------------------------------------------------------------------

2. Investor and Audit Committee Potential Uses of Form 2 and Form 3
---------------------------------------------------------------------------

    \123\ Counts include registered firms with status ``Currently 
Registered'' (551), ``Withdrawal Pending'' (6), and ``Registration 
Withdrawn'' (6). Counts are determined based on the number of 
original Form 3 and amended Form 3 filed in a given calendar year. A 
firm may file more than one Form 3. A single Form 3 filing may 
include more than one reason, and each reason is included in the 
counts.
---------------------------------------------------------------------------

    The Board does not monitor specific uses of Form 2 or Form 3 by 
investors and audit committees. However, Form 2 and Form 3 information 
is generally publicly available for investors and audit committees to 
inform their views of firms and the audit market. For example, 
investors and audit committees can observe information reported on Form 
2, such as a firm's client base or number of CPA personnel, to inform 
their selection of a firm. Likewise, investors and audit committees can 
observe information reported on Form 3, such as a withdrawal of an 
audit report, to monitor and understand developments that may impact 
their confidence in financial reporting quality.
    The Board does not track types of visitors to specific forms on the 
PCAOB website, reasons for those visits, or views of specific forms. 
However, the Board does track unique visits to all PCAOB forms filed--
i.e., Forms 1, 2, 3, 4, and AP--that are publicly available on the 
PCAOB website. For calendar

[[Page 96751]]

year 2023, there were just over 23,000 unique visitors, and close to 
7.4 million page views, for PCAOB's registration, annual and special 
reporting (RASR) Web service that provides public access to firm 
filings, including Forms 1, 2, 3, 4, and AP.\124\ Additionally, in 2023 
there were over 333,000 unique searches performed on PCAOB's 
AuditorSearch Web service, and the Form AP dataset was downloaded over 
2,000 times.\125\
---------------------------------------------------------------------------

    \124\ The RASR database can be found on the PCAOB's website, 
available at https://rasr.pcaobus.org/Search/Search.aspx. The usage 
statistics may underestimate actual public interest because 
investors, researchers, auditors, audit committees, and issuer 
management may source PCAOB information through external third-party 
data service providers--such as Ideagen's Audit Analytics. The usage 
statistics may also overestimate actual public interest to some 
extent because they include internal PCAOB users.
    \125\ Information related to usage statistics can be found on 
the PCAOB's website, available at https://pcaobus.org/resources/auditorsearch.
---------------------------------------------------------------------------

    One commenter noted that the proposal did not cite academic 
research that suggests that certain investors do not voluntarily access 
Form AP data.\126\ Since the study focuses on non-professional 
investors, the Board notes that the results may not necessarily 
generalize to other types of investors, such as institutional 
investors. Previous academic research also suggests that investors did 
not respond to information reported in Form AP soon after the form 
became effective.\127\ However, the absence of a response soon after 
the form became effective does not mean information has no value to 
investors or audit committees. For example, more recent academic 
research suggests that audit partner disclosures in Form AP provide 
useful information to equity markets.\128\
---------------------------------------------------------------------------

    \126\ See, e.g., Candice T. Hux, How Does Disclosure of 
Component Auditor Use Affect Nonprofessional Investors' Perceptions 
and Behavior?, 40 Auditing: A Journal of Practice & Theory 35 (2021) 
(finding that very few non-professional investors voluntarily access 
component auditor information disclosed in Form AP).
    \127\ See, e.g., Marcus M. Doxey, James G. Lawson, Thomas J. 
Lopez, and Quinn T. Swanquist, Do Investors Care Who Did the Audit? 
Evidence from Form AP, 59 Journal of Accounting Research 1741 (2021) 
(finding little evidence of a significant investor response 
following the disclosure of partner identity and component auditor 
participation in the first three years after Form AP was effective).
    \128\ See, e.g., Daniel Aobdia, Vincent Castellani, and Paul 
Richardson, Do Investors Care Who Led the Audit in the U.S.? 
Evidence from Announcements of Accounting Restatements, available on 
SSRN: https://ssrn.com/abstract=4702538 (2024) (finding that 
following the mandated disclosure of audit partner names on Form AP, 
a U.S. audit partner's non-restating clients experience a 
significant negative market reaction in the days surrounding the 
announcement of another client's restatement). The Board notes that 
SSRN does not peer review its submissions.
---------------------------------------------------------------------------

    One commenter reported results from a survey they conducted of 100 
institutional investor respondents \129\ that found 25 percent of 
respondents navigate to the AuditorSearch Web service very often, 54 
percent navigate to it often, 16 percent navigate to it sometimes, 3 
percent navigate to it rarely, and 2 percent navigate to it never.\130\ 
The commenter also reported results from a survey they conducted of 242 
audit committee member respondents \131\ that found 0.4 percent of 
respondents navigate to the AuditorSearch Web service very often, 3.7 
percent navigate to it often, 15.7 percent navigate to it sometimes, 
27.3 percent navigate to it rarely, 36.4 percent navigate to it never, 
and 16.5 percent are unfamiliar with PCAOB Form AP.\132\ Results from 
both of these surveys indicate that institutional investor respondents 
and audit committee member respondents navigate to the AuditorSearch 
Web service, but the results do not indicate the extent to which 
institutional investor respondents and audit committee member 
respondents use the AuditorSearch information.
---------------------------------------------------------------------------

    \129\ See Center for Audit Quality, PCAOB Engagement Metrics 
Report--Investors (July 2024) (``CAQ Investor Survey''). The survey 
was conducted online from May 15, 2024, to May 22, 2024.
    \130\ See CAQ Investor Survey. The survey question asked, ``How 
often do you navigate to the AuditorSearch on the PCAOB's Form AP, 
Auditor Reporting of Certain Audit Participants website?''
    \131\ See Center for Audit Quality, Audit Firm & Engagement 
Disclosures; Stakeholder Information Needs (July 2024) (``CAQ Audit 
Committee Survey''). The survey was conducted online from May 29, 
2024, to June 14, 2024.
    \132\ See CAQ Audit Committee Survey. The survey question asked, 
``How often do you navigate to the AuditorSearch on the PCAOB's Form 
AP, Auditor reporting of Certain Audit Participants website?''
---------------------------------------------------------------------------

    In addition to the information that the firm makes publicly 
available through required form filings, the PCAOB provides public 
disclosures of firm inspection reports.\133\ During the 2023 calendar 
year, firm inspection reports were downloaded approximately 113,000 
times. Academic research suggests that audit committees use the 
information contained in PCAOB inspection reports.\134\ Additionally, 
some academic research suggests that PCAOB inspection reports provide 
useful information to investors.\135\ However, some research indicates 
that institutional investors may not be aware of or find value in PCAOB 
inspection reports, suggesting that current research captures the lower 
bound of the effect of PCAOB inspection information to investors.\136\ 
One commenter questioned whether investors access or analyze Form 2 
data to seek insights about audit firms in light of the research that 
suggests institutional investors may not be aware of or find value in 
PCAOB inspection reports. However, the Board does not draw inferences 
regarding the usefulness of Form 2 data from the research results 
regarding PCAOB inspection reports.
---------------------------------------------------------------------------

    \133\ Firm inspection reports can be found on the PCAOB's 
website, available at https://pcaobus.org/oversight/inspections/firm-inspection-reports.
    \134\ See, e.g., Daniel Aobdia, The Impact of the PCAOB 
Individual Engagement Inspection Process--Preliminary Evidence, 93 
The Accounting Review 53 (2018) (finding that companies are more 
likely to switch auditor when firm offices or partners receive a 
Part I audit deficiency).
    \135\ See, e.g., Nemit Shroff, Real Effects of PCAOB 
International Inspections, 95 The Accounting Review 399 (2020) 
(finding, using a sample of foreign companies, that companies enjoy 
greater access to capital when their auditor's PCAOB inspection 
report does not include Part I deficiencies)); Andrew Acito, Amir 
Amel-Zadeh, James Anderson, William L. Anderson, Daniel Aobdia, 
Francois Brochet, Huaizhi Chen, Jonathan T. Fluharty-Jaidee, Martin 
Schmalz, Manyun Tang, and Scott Jinzhiyang Wang, Market-Based 
Incentives for Optimal Audit Quality, available on SSRN: https://ssrn.com/abstract=4997362 (2024) (finding that when PCAOB inspection 
reports can be easily linked to the issuer being audited, issuers 
whose audit was not found to be deficient significantly outperform 
issuers whose audit was found to be deficient). The Board notes that 
SSRN does not peer review its submissions.
    \136\ See, e.g., CAQ, Perspectives on Corporate Reporting, the 
Audit, and Regulatory Environment (Nov. 2023) (finding that most 
institutional investors interviewed were unaware of PCAOB inspection 
reports, and to the extent investors were aware, found the report 
results to be expected); Clive Lennox and Jeffrey Pittman, Auditing 
the Auditors: Evidence on the Recent Reforms to the External 
Monitoring of Audit Firms, 49 Journal of Accounting and Economics 84 
(2010) (finding that companies do not perceive that the PCAOB's 
disclosed inspection reports are valuable for signaling audit 
quality).
---------------------------------------------------------------------------

    One commenter suggested that investors' and audit committees' uses 
of information regarding firms were not clearly understood from the 
analysis in the proposal. However, the proposal did discuss the 
potential uses of Form 2 and Form 3 information as noted above, and 
commenters did not explicitly disaffirm the potential uses. In 
addition, one commenter reported results from a survey they conducted 
of 100 institutional investor respondents that found 30 percent of 
respondents navigate to the PCAOB's Registered Firms website \137\ very 
often, 52 percent navigate to it often, 13 percent navigate to it 
sometimes, 2 percent navigate to it rarely, and 3 percent navigate to 
it never.\138\ Of the 95 institutional investor

[[Page 96752]]

respondents who navigate to the Registered Firms website sometimes, 
often, or very often, 61 percent find Form 2 information useful, 58 
percent find Form 3 information useful, 37 percent find inspection 
reports useful, 35 percent find disciplinary proceedings useful, and 2 
percent marked none of the above.\139\ The commenter also reported 
results from a survey they conducted of 242 audit committee member 
respondents that found 0.4 percent of respondents navigate to the 
Registered Firms website very often, 4.5 percent navigate to it often, 
16.9 percent navigate to it sometimes, 25.6 percent navigate to it 
rarely, 41.7 percent navigate to it never, and 10.7 percent are 
unfamiliar with it.\140\ Of the 12 audit committee member respondents 
who navigate to PCAOB's Registered Firms website often or very often, 
75 percent find Form 2 information useful, 42 percent find Form 3 
information useful, 33 percent find inspection reports useful, 33 
percent find disciplinary proceedings useful, and 8 percent have not 
utilized PCAOB resources.\141\ These survey results suggest that 
institutional investor respondents access Form 2 and Form 3 information 
available on the PCAOB website and generally find the information to be 
useful. Audit committee member respondents access Form 2 and Form 3 
information to a much lesser extent than institutional investor 
respondents, and those audit committee member respondents that do 
access the information generally find the Form 2 information to be more 
useful than the Form 3 information.
---------------------------------------------------------------------------

    \137\ The PCAOB Registered Firms website contains a firm summary 
page where the public can view a firm's registration, Form 2 annual 
reports, Form 3 special reports, inspection reports, and 
disciplinary actions, available at https://pcaobus.org/oversight/registration/registered-firms.
    \138\ See CAQ Investor Survey. The survey question asked, ``How 
often do you navigate to the PCAOB's Registered Firm website?''
    \139\ See CAQ Investor Survey. The survey question asked, ``What 
information do you find useful on the PCAOB's Registered Firms 
website? Select all that apply.''
    \140\ See CAQ Audit Committee Survey. The survey question asked, 
``How often do you navigate to the PCAOB's Registered Firms website?
    \141\ See CAQ Audit Committee Survey. The survey question asked, 
``What information do you find most useful on the PCAOB's Registered 
Firm site?''
---------------------------------------------------------------------------

3. Other Sources of Audit Firm Information
    In addition to Form 2 and Form 3, investors, audit committees, and 
the Board have access to audit firm information through other public 
sources. As discussed in Background and Key Considerations, some firms 
disclose information--such as financial, governance, and network 
information--as part of voluntary or mandatory transparency 
reports.\142\ These reports are generally published by firms annually 
for access by the public.\143\ In addition, the SEC requires issuers to 
disclose audit fees, audit-related fees, tax fees, and other fees paid 
to audit firms in the two preceding fiscal years. The disclosed amounts 
may include fees paid to multiple audit firms rather than a single 
audit firm. Information related to certain legal proceedings--e.g., SEC 
enforcement actions--is also publicly available.\144\ However, due to 
the investigation and litigation process, information may be publicly 
available only after a substantial lag.
---------------------------------------------------------------------------

    \142\ Under PCAOB auditing standards and applicable U.S. law, 
audit firm transparency reports are voluntary and unregulated 
disclosures. Consequently, firms can disclose information of their 
own choosing and construction. In practice, firms that do publish 
transparency reports disclose information that is required in 
reports pursuant to disclosure rules in other jurisdictions, such as 
in the European Union (i.e., EU--No 537/2014 Article 13), or 
similarly adopted domestic requirements in the UK under the 
Financial Reporting Council's authority (i.e., the Companies Act of 
2006, and Statutory Auditors and Third Country Auditors Regulations 
of 2016).
    \143\ See, e.g., Deloitte, 2023 Transparency Report (Sep. 2023); 
EY US, 2023 Transparency Report (Oct. 26, 2023); KPMG International, 
Transparency Report 2023 (Dec. 2023); PricewaterhouseCoopers LLP, 
2023 Transparency Report (Oct. 31, 2023).
    \144\ See the SEC's Accounting and Auditing Enforcement Releases 
site, available at https://www.sec.gov/divisions/enforce/friactions.
---------------------------------------------------------------------------

    Certain information regarding some individual audit firms--such as 
total revenue, breakdown of revenue by service line, and number of 
partners and professionals--is accessible through paid subscription 
services, but these sources do not include all firms.\145\ In addition, 
certain aggregated information regarding groups of firms--such as 
revenue, profits, and compensation--is accessible through paid 
subscription services, but these sources do not provide information 
regarding individual firms.\146\
---------------------------------------------------------------------------

    \145\ See, e.g., Accounting Today, Top 100 Firms (2022).
    \146\ See, e.g., AICPA, National Management of an Accounting 
Practice Survey Results Report (Oct. 2023); Audit Analytics, 20-Year 
Review of Audit Fee Trends (July 2023).
---------------------------------------------------------------------------

    Audit committees can request and receive firm information through 
sources not available to the public, including directly from their 
incumbent auditors and tendering firms. In exercising their oversight 
responsibilities, for example, audit committees may seek information 
from the firm about PCAOB inspections, including information not 
contained in the PCAOB's public inspection reports.\147\ In addition, 
auditing standards and PCAOB and securities law provisions require 
specific communications from auditors to audit committees regarding a 
variety of matters related to the audit engagement. For example, audit 
committees receive information through communications from auditors to 
audit committees under PCAOB AS 1301, Communications with Audit 
Committees, and Exchange Act Section 10A reports regarding illegal acts 
at an issuer in certain situations, but this information pertains to 
the audit engagement or the issuer rather than the audit firm.
---------------------------------------------------------------------------

    \147\ See Information for Audit Committees About the PCAOB 
Inspection Process, PCAOB Rel. No. 2012-003 (Aug. 1, 2012).
---------------------------------------------------------------------------

    Several commenters affirmed that audit committees have bargaining 
power that gives the audit committee direct and timely access to 
information the audit committee requests. One commenter asserted that 
audit committees have access to any relevant peer firm information for 
comparisons with the incumbent audit firm, including when the audit 
committee is considering changing audit firms. The commenter also 
affirmed that audit firm information is available through publicly 
available sources, such as audit quality reports and transparency 
reports by larger firms, or by requesting any relevant non-public 
information from each potential audit firm. Another commenter, 
representing audit committee chairs, affirmed that audit committee 
chairs already receive or have access to most of the information that 
is being mandated. One commenter noted that the provision of 
information by audit firms to audit committees involves two-way 
contextual communication that the commenter believed will fulfill the 
objectives outlined in the proposal.
    The Board continues to agree that audit committees can request and 
receive firm information directly from their incumbent auditors and 
tendering firms. Likewise, the commenters affirmed that the firm 
information is not directly available to investors for their own voting 
and monitoring purposes. Moreover, the Board expects that audit 
committees will continue to engage in two-way communication with audit 
firms and that the required disclosures will equip investors with 
information they can use in communication with their own audit 
committees.
    The Board routinely collects supplemental audit firm information 
through the inspection process. For example, PCAOB staff periodically 
requests and receives select financial information, such as revenue and 
net income, to understand a firm's business and thereby to inform 
inspection scoping and planning. In addition, PCAOB staff periodically 
requests and receives data on audit firm boards of directors, including 
their composition and governance committees, to understand firms' 
governance structures and inform inspection scoping and planning. The 
supplemental information is not available to investors

[[Page 96753]]

or audit committees because information collected for inspections is 
privileged and confidential under the Sarbanes-Oxley Act,\148\ while 
information collected as part of the periodic reporting process is 
presumptively public.\149\
---------------------------------------------------------------------------

    \148\ See Section 105(b)(5) of Sarbanes-Oxley.
    \149\ See Section 102(e) of Sarbanes-Oxley. Although some 
information may nonetheless be determined to be confidential and, 
thus, would not be publicly reported.
---------------------------------------------------------------------------

    The proposal explained that PCAOB staff has also requested and 
received through the inspection process, financial statements for the 
U.S. global network firms (``GNFs'') \150\ to understand the financial 
condition or financial results at these firms that may affect audit 
quality or the provision of audit services. For example, financial 
statements provide useful information regarding where firm resources 
are dedicated to help evaluate the system of quality control. All U.S. 
GNFs compile financial statements on a non-GAAP or modified GAAP basis 
of accounting. Some compile financial statements in accordance with 
partnership agreements or agreements with lenders. While the financial 
statements are not fully consistent with GAAP, the U.S. GNFs generally 
use an accrual basis of accounting. The U.S. GNFs do not compile a full 
set of financial statements by service line. Two U.S. GNFs compile 
revenue by service line. In addition, based on the entity registered 
with the Board, some firms submit consolidated financial statements for 
the entire professional service practice, and other firms submit 
financial statements only for the audit practice.
---------------------------------------------------------------------------

    \150\ GNFs are the member firms of the six global accounting 
firm networks (BDO International Ltd., Deloitte Touche Tohmatsu 
Ltd., Ernst & Young Global Ltd., Grant Thornton International Ltd., 
KPMG International Ltd., and PricewaterhouseCoopers International 
Ltd.).
---------------------------------------------------------------------------

    Several commenters affirmed that U.S. audit firms generally compile 
financial statements on a non-GAAP or modified GAAP basis of 
accounting. One commenter asserted that the proposal did not explain 
how obtaining firms' financial statements has informed the inspection 
process. However, as noted in the previous paragraph, the proposal 
explained that PCAOB staff has requested and received financial 
statements for U.S. GNFs to understand the financial condition or 
financial results at these firms that may affect audit quality or the 
provision of audit services.
    PCAOB staff observations indicate that U.S. GNFs have designed 
policies and procedures to identify, mitigate, and respond to 
cybersecurity threats. The current PCAOB reporting framework does not 
specify that firms should provide PCAOB with notification of 
cybersecurity incidents or disclose information regarding cybersecurity 
policies and procedures. Cybersecurity is identified in recent surveys 
as a top risk by company executives, investors, and audit 
committees.\151\ In addition, PCAOB oversight indicates that the 
cybersecurity landscape faced by firms continues to evolve and that 
cybersecurity incidents at firms are increasing in both volume and 
complexity. Estimates of aggregate and per-incident annual costs 
associated with cybersecurity incidents vary widely,\152\ and the costs 
of responding to a cybersecurity incident decrease when organizations 
are well-prepared with cybersecurity playbooks and simulated 
cybersecurity incidents.\153\ Accounting firms are targeted by 
cybercriminals because firms are stewards of confidential 
information.\154\ In addition, smaller and mid-sized firms are targeted 
because they may lack sophisticated cybersecurity infrastructure and 
can act as gateways to other targets.\155\ While research finds that 
the statistical probability of a cybersecurity incident at smaller 
companies is lower than for larger companies,\156\ the costs of a 
cybersecurity incident are statistically disproportionately higher for 
smaller companies than for larger companies.\157\
---------------------------------------------------------------------------

    \151\ See, e.g., EY, EY CEO Imperative Study 2019 (July 2019); 
PCAOB, Spotlight: 2021 Conversations with Audit Committee Chairs 
(Mar. 2022); CAQ, Audit Committee Practices Report (Mar. 2024).
    \152\ See, e.g., Cybersecurity and Infrastructure Security 
Agency, Cost of a Cyber Incident: Systematic Review and Cross-
Validation (Oct. 26, 2020) (explaining that aggregate annual 
estimates for U.S. economic impacts from cyber incidents range from 
under $1 billion to over $242 billion while median estimates per 
incident range from about $56,000 to almost $1.9 million); Sasha 
Romanosky, Examining the Costs and Causes of Cyber Incidents, 2 
Journal of Cybersecurity 121 (2016) (finding the cost of a typical 
cyber incident is about 0.4 percent of a company's annual revenue); 
Cyentia Institute, Information Risk Insights Study (2020) (``Cyentia 
Report''), at 20 (finding that a data breach of 100,000 records has 
a 96 percent probability of costing at least $10,000 and only a 2.7 
percent probability of costing more than $100 million).
    \153\ See, e.g., PCAOB Investor Advisory Group Meeting (Sep. 26, 
2024), available at https://pcaobus.org/news-events/events/event-details/pcaob-investor-advisory-group-meeting-september-2024.
    \154\ See, e.g., Malia Politzer, Top Cyberthreats Targeting 
Accounting Firms, Journal of Accountancy (Mar. 16, 2020); Olivia 
Powell, PwC and EY Impacted by MOVEit Cyberattack, Cyber Security 
Hub (June 21, 2023); PCAOB Investor Advisory Group Meeting (Sep. 26, 
2024).
    \155\ See, e.g., Politzer, Top Cyberthreats.
    \156\ See, e.g., Cyentia Report, at 12 (finding that companies 
under $1 billion in annual revenue have less than a 2 percent chance 
of experiencing a breach whereas companies with at least $1 billion 
in annual revenue have at least a 9.6 percent chance).
    \157\ See, e.g., Cyentia Report, at 22 (finding that a $100 
billion company that experiences a typical cybersecurity incident 
should expect a cost of approximately $292,000, whereas a $100,000 
company should expect a cost of approximately $24,000).
---------------------------------------------------------------------------

Need
    This section discusses the problem that needs to be addressed and 
explains how the final rule is expected to address it. In general, 
three observations suggest that there is an economic need for the 
reporting requirements:
     Investors and audit committees encounter persistent 
opacity regarding audit firm information that is consistent and 
comparable across firms and over time. As a result, there is a risk 
that investors and audit committees will not accurately assess a firm's 
capacity, incentives, and constraints that best meet investor needs 
regarding the audit.
     Information regarding audit firm characteristics that will 
help assess a firm's capacity, incentives, and constraints has been 
requested by investors. However, the market for information does not 
provide standardized information regarding certain firm characteristics 
because firms, investors, and audit committees lack sufficient 
incentives necessary to develop a system of voluntary disclosure. As a 
result, firms do not supply the market with sufficient decision-useful 
information.\158\
---------------------------------------------------------------------------

    \158\ Given the considerations in the benefits and costs 
sections below, it appears reasonable to assume that the frictions 
in the market for information are likely to cause an apparent 
undersupply of information, rather than the cost of providing the 
information being greater than the social benefit.
---------------------------------------------------------------------------

     PCAOB staff experience with the extant PCAOB reporting 
framework has revealed incomplete or imperfect information regarding 
certain events at some audit firms. This impairs the Board's ability to 
perform its statutory oversight function.
    The Firm Reporting rule will help address this problem in two 
primary ways:
     The rule will require audit firms to publicly disclose 
firm information that is standardized across firms and over time and 
will aid investor and audit committee decision-making.
     The rule will require audit firms to report additional 
information and specified events and, in some cases, financial 
statements, which will enhance the effectiveness of the Board's 
statutory oversight.
    Investor-related groups affirmed the need for the reporting 
requirements. Several commenters questioned the

[[Page 96754]]

need for the reporting requirements. One commenter asserted that the 
proposal made no attempt to demonstrate a need. Some commenters 
suggested that the proposal lacked a rationale regarding how the 
reporting requirements will enhance transparency for stakeholders or 
statutory oversight. Another commenter asserted that the proposal did 
not clearly state a problem, making it difficult to identify 
alternatives. One commenter questioned whether the PCAOB is trying to 
influence audit firms' investing and operating decisions or to impose 
minimum capital requirements or de facto government auditing. Some 
commenters asserted that the proposal lacked adequate justification of 
the need for the large volume of reporting requirements. One commenter 
asserted that the PCAOB is unlikely to need the required data for 
registered but inactive firms and the PCAOB already has access to any 
relevant and appropriate data for active firms.
    The proposal and this release below explain that the required 
public disclosures and confidential reporting are intended to provide 
more information to the audit market to support: (i) audit committees 
in their appointment and monitoring of an audit firm, (ii) investors in 
their votes on proposals to ratify the appointment of an audit firm and 
in their efforts to oversee the audit committee, and (iii) the Board's 
ability to perform its statutory oversight function as it relates to 
emerging risks. In addition, many commenters seemed to demonstrate an 
understanding of the problem by suggesting several alternatives that 
are summarized in a section below. Moreover, the proposal did not state 
or intend to suggest that the Board plans to influence audit firms' 
investing and operating decisions or impose minimum capital 
requirements or de facto government auditing, nor does the Board intend 
for the final rule to have such influence. While the Board agrees that 
the final rule increases the volume of reporting requirements, the 
Board notes that much of the information is already reported through 
the PCAOB inspection process, as explained in a section above, or made 
available to audit committee chairs, as noted by one commenter 
representing audit committee chairs. Finally, while the commenter did 
not offer a definition of ``active'' firms or ``inactive'' firms, the 
PCAOB's current access to any relevant and appropriate data for 
registered firms does not address investors' current lack of access to 
the required disclosures. In addition, the Board does not rule out the 
possibility that investors or audit committees could have future needs 
for the required disclosures of all registered firms.
    The following sections describe in more detail the problem to be 
addressed and how the reporting requirements will address it.
1. Problem To Be Addressed
i. Persistent Opacity Regarding Firm Information
a. Investors and Audit Committees
    Reliable company financial statements help investors evaluate 
company performance and monitor managements' stewardship of investor 
capital. An audit committee is established by the company's board of 
directors and is statutorily entrusted to appoint, compensate, and 
oversee the work of the audit firm.\159\ In its appointment decision, 
the audit committee evaluates firms to identify a firm with the 
capacity, incentives, and constraints that best meet investor needs 
regarding the audit. Once the audit committee appoints a firm, the 
audit committee then monitors the firm.\160\ However, the audit 
committee may focus on the interests of investors who are current 
shareholders rather than the broader public interest (e.g., market 
confidence, potential future shareholders, or investors in other 
companies). Moreover, there is a risk that the audit committee may not 
monitor the firm effectively because the firm may seek to satisfy the 
interests of company management rather than investors if management is 
able to exercise influence over the audit committee's supervision of 
the firm.\161\
---------------------------------------------------------------------------

    \159\ See Section 301 of Sarbanes-Oxley and Section 10A(m)(2) of 
the Securities Exchange Act.
    \160\ See, e.g., CAQ, 2023 Audit Committee Transparency 
Barometer (Nov. 2023) (``CAQ Barometer Report'') (noting that 
oversight of the external auditor continues to be at the core of the 
audit committee's responsibilities).
    \161\ See, e.g., Joshua Ronen, Corporate Audits and How to Fix 
Them, 24 Journal of Economic Perspectives 189 (2010) (explaining 
that audit committee members are paid by the company and can be 
dependent on top company management for a variety of benefits, 
including referrals as a possible member on the board of directors 
and audit committees of other companies); Liesbeth Bruynseels and 
Eddy Cardinaels, The Audit Committee: Management Watchdog or 
Personal Friend of the CEO?, 89 The Accounting Review 113 (2014) 
(finding that companies whose audit committees have ``friendship'' 
ties to the CEO purchase fewer audit services and engage more in 
earnings management); Cory A. Cassell, Linda A. Myers, Roy 
Schmardebeck, and Jian Zhou, The Monitoring Effectiveness of Co-
Opted Audit Committees, 35 Contemporary Accounting Research 1732, 
1733-1734 (2018) (finding that the likelihood of a financial 
statement misstatement is higher and that absolute discretionary 
accruals are larger when audit committee co-option, as measured by 
the proportion of audit committees who joined the board of directors 
after the current CEO's appointment, is higher); Nathan Berglund, 
Michelle Draeger, and Mikhail Sterin, Management's Undue Influence 
over Audit Committee Members: Evidence from Auditor Reporting and 
Opinion Shopping, 41 Auditing: A Journal of Practice & Theory 49 
(2022) (finding that greater management influence over audit 
committee members is associated with a lower propensity of the 
auditor to issue a modified going concern opinion to a distressed 
company under audit and with increased opinion shopping behavior).
---------------------------------------------------------------------------

    As a result of this risk, investors have an important, albeit 
indirect, role in overseeing the audit firm. Indeed, while the audit 
committee more directly oversees the firm, most publicly traded 
companies allow investors to vote on a proposal to ratify the audit 
committee's appointment of an audit firm. This ratification vote 
enables investors to demonstrate whether they support the audit 
committee's appointment of the firm.\162\ To inform the appointment 
ratification vote, audit committee disclosures in annual company proxy 
statements indicate that some audit committees consider a variety of 
public and non-public information when appointing their auditor, 
including public data regarding the candidate firm and its peer 
firms.\163\
---------------------------------------------------------------------------

    \162\ Voting on a proposal to ratify the appointment of the 
audit firm is not statutorily required and in many cases the 
ratification vote is non-binding. However, according to Audit 
Analytics accessed on Mar. 1, 2024, ratification votes had been held 
for the year ended in 2023 by 2,802 distinct companies included in 
the Russell 3000 index, which comports with other estimates that 
indicate between 80 and 95 percent of companies hold votes on 
ratification proposals as part of their proxy process. See, e.g., 
ACAP Final Report, at VIII.20 (finding that 95 percent of S&P 500 
companies and 70-80 percent of smaller companies put ratification 
proposals up for an annual shareholder vote); Lauren M. Cunningham, 
Auditor Ratification: Can't Get No (Dis)Satisfaction, 31 Accounting 
Horizons 159, 161 (2017) (finding that more than 90 percent of a 
sample of Russell 3000 companies voluntarily include an appointment 
ratification vote on the ballot). The Board notes that broker 
discretionary voting is permitted on ratification proposals and 
ratification proposals may be used as a mechanism by some companies 
to achieve a quorum to conduct an annual meeting as a result of 
brokers exercising discretionary votes.
    \163\ See, e.g., CAQ Barometer Report, at 15-18 (presenting 
examples of audit committee disclosures that summarize the 
information the audit committee considered when appointing the audit 
firm).
---------------------------------------------------------------------------

    Research suggests that investor decisions regarding the appointment 
ratification vote rely in part on the alignment of the firm's capacity, 
incentives, and constraints with investor needs regarding the 
audit.\164\

[[Page 96755]]

Research also suggests that investors are more likely to challenge an 
audit committee's appointment of a firm when they have access to firm 
information that reflects a firm's capacity, incentives, and 
constraints, such as information regarding a breakdown of the firm's 
audit and non-audit fees that can be used to assess independence.\165\ 
However, a lack of transparency regarding firm information leaves 
investors less equipped to assess a firm's capacity, incentives, and 
constraints when voting on a proposal to ratify the appointment made by 
the audit committee or in exercising their rights to oversee the audit 
committee through board of director elections. Even proxy advisors rely 
upon relatively limited publicly available information in making voting 
recommendations regarding ratification of the audit committee's 
appointment, which institutional and retail investors may then rely 
upon.\166\ Moreover, the presence of significant block holdings by 
diversified, passive investment funds, which often do not hold board of 
director seats, means that decision-useful information may not be 
provided by audit firms to a significant control group in cases where 
the fund managers do not hold a board seat.\167\
---------------------------------------------------------------------------

    \164\ See, e.g., Mai Dao, K. Raghunandan, and Dasaratha V. Rama, 
Shareholder Voting on Auditor Selection, Audit Fees, and Audit 
Quality, 87 The Accounting Review 149, 168 (2012) (concluding that 
shareholder votes on proposals to ratify the appointment of an audit 
firm can be viewed as aligning the firm's incentives more with 
shareholders than in cases where the audit committee makes the 
hiring decision without a shareholder vote); Cunningham, Auditor 
Ratification 174 (noting that proxy advisor guidelines recommend 
against a proposal to ratify the appointment of a firm if there is 
information that suggests a conflict between the firm's interests 
and shareholder interests).
    \165\ See, e.g., Suchismita Mishra, K. Raghunandan, and 
Dasaratha V. Rama, Do Investors' Perceptions Vary with Types of 
Nonaudit Fees? Evidence from Auditor Ratification Voting, 24 
Auditing: A Journal of Practice and Theory 9 (2005) (finding that 
the SEC's requirement for companies to disclose partitioned 
information about tax and other non-audit fees paid to a company's 
independent audit firm had a positive association with the 
proportion of investor votes against ratification proposals in 
2003); Cunningham, Auditor Ratification 174 (noting that proxy 
advisor guidelines recommend against a proposal to ratify the 
appointment a firm if non-audit fees exceed the sum of audit fees, 
audit-related fees, and tax preparation fees). Other research 
indicates that investors rely on publicly available PCAOB 
information to make informed appointment ratification decisions. 
See, e.g., Paul N. Tanyi, Dasaratha V. Rama, and K. Raghunandan, 
Auditor Tenure Disclosure and Shareholder Ratification Voting, 35 
Accounting Horizons 167 (2021) (finding that in the case of 
companies with long (short) auditor tenure, the proportion of 
shareholder votes not ratifying the appointment of an auditor 
increased (decreased) after PCAOB mandated public disclosure of 
auditor tenure).
    \166\ See, e.g., Cunningham, Auditor Ratification, 163 
(explaining that proxy advisors are left to rely on publicly 
available cues about auditor independence and audit quality because 
SEC DEF 14-A proxy statement disclosures require relatively little 
information about the audit committee's process for appointing or 
retaining a specific firm subject to vote). The Board notes that 
research also indicates that retail investors may not necessarily 
use information regarding an audit firm in their decisions to vote 
on a proposal to ratify the appointment of the firm. See, e.g., Cory 
A. Cassell, Tyler J. Kleppe, and Jonathan E. Shipman, Retail 
Shareholders and the Efficacy of Proxy Voting: Evidence from Auditor 
Ratification, 29 Review of Accounting Studies 75 (2024) (finding 
that appointment ratification votes become less informed--i.e., 
associated with factors that do not reflect auditor performance--as 
retail ownership increases).
    \167\ While diversified, passive investment funds hold large 
shares of U.S. companies, non-financial blockholders or insiders may 
also hold large shares. See, e.g., Amir Amel-Zadeh, Fiona Kasperk, 
and Martin Schmalz, Mavericks, Universal, and Common Owners--The 
Largest Shareholders of U.S. Public Firms, available on SSRN: 
https://ssrn.com/abstract=4219430 (2022) (showing that between 2003-
2020 up to one-fifth of the largest U.S. companies had a non-
financial blockholder or insider as their largest shareholder). The 
Board notes that SSRN does not peer review its submissions.
---------------------------------------------------------------------------

    Several commenters affirmed the point made in the proposal and in 
this release that shareholder voting on a proposal to ratify the 
appointment of the audit firm is not statutorily required and in many 
cases the ratification vote is non-binding. One commenter asserted that 
audit committees are functioning effectively under current rules. The 
commenter further noted that it is rare for shareholders not to vote in 
favor of ratifying the audit committee's selection, and opined that 
this is because shareholders reasonably rely on the audit committee to 
fulfill their responsibilities and regularly engage with the auditor. 
One commenter suggested that the required disclosures are an attempt to 
circumvent the work of audit committees. However, the proposal did not 
state or intend to suggest that the required disclosures are an attempt 
to circumvent the work of audit committees, nor is the final rule 
intended to have such an effect. In contrast, the Board believes the 
required disclosures will create opportunities to strengthen 
communication between audit committees and investors and for investors 
to play a more proactive role in the selection of the audit firm and 
more proactively and efficiently monitor the work of audit 
committees.\168\
---------------------------------------------------------------------------

    \168\ Recent trends in investors' votes against appointment 
ratifications indicate that investors have an interest in playing a 
more proactive role in the selection of the audit firm. See, e.g., 
Jennifer Williams, The Morning Ledger: Investor Votes Against Big 
Companies' Auditors Climbs, Dow Jones Institutional News (June 18, 
2024) (noting that 4.3 percent of investors voted against the 
appointment ratification of S&P 500 companies' auditors through June 
3, 2024, more than triple the proportion of a decade earlier and up 
from 3.7 percent last year, according to Ideagen Audit Analytics).
---------------------------------------------------------------------------

    Several commenters questioned whether the required disclosures will 
be useful to investors and audit committees. One commenter explained 
that the audit committee's statutory responsibility to represent the 
needs of investors and make informed decisions about the appointment 
and retention of auditors makes it unclear whether increased public 
disclosures by firms will lead to different investor decision-making. 
One commenter asserted that the required disclosures are not needed by 
audit committees in their oversight of auditors or by investors for 
their voting and investment decisions. The commenter further asserted 
that audit committees are not asking for the required disclosures and 
that the required disclosures are not material information for 
investors' voting or capital allocation decisions. Another commenter 
suggested that audit committees may find certain of the required 
disclosures relevant to their oversight of the audit firm and affirmed 
that audit committees currently have a channel to request and receive 
the information.
    Investor-related groups affirmed the decision-usefulness of the 
reporting requirements for ratification votes and the election or 
reelection of audit committee chairs and members as articulated in the 
proposal. The comments received from investor-related groups suggest 
that investors have different perspectives than other commenters 
regarding the usefulness of the required disclosures to investors. For 
example, the comments from investor-related groups suggest that the 
information is material enough for investors to use in their 
ratification votes or in their oversight of audit committees. In 
addition, one commenter, representing audit committee chairs, asserted 
that audit committee chairs already receive or have access to most of 
the mandated information from audit firms. The fact that firms have 
arranged to provide the information voluntarily to audit committee 
chairs despite the cost of doing so suggests to the Board that some 
audit committees do find value in some of the required disclosures and 
explains why audit committees are not asking for the required 
disclosures. Moreover, the Board continues to agree that audit 
committees can request and receive firm information directly from their 
incumbent auditors and tendering firms, and the Board believes that 
audit committees will continue to do so for information that is not 
included in the required disclosures.
    One commenter, representing audit committee chairs, questioned 
whether investors will make use of the required disclosures in their 
decision-making and asserted that most of the information is rarely, if 
ever, requested by investors, much less the subject of discussions with 
investors. However,

[[Page 96756]]

affirmative comments from investor-related groups suggested that 
investors will make use of the required disclosures in their decision-
making.
    One commenter suggested that stakeholders who have recommended 
additional information or different information from the information 
already provided in firms' transparency reports and audit quality 
reports should be asked to describe how similar information is being 
utilized and, with some level of specificity, what specific information 
the stakeholders would find incrementally useful, and why. However, the 
Board does not believe that stakeholders who have recommended 
additional information or different information from firms' 
transparency reports or audit quality reports could describe how 
similar information is being utilized because the additional 
information or different information is currently not publicly 
available for the stakeholders to use. Moreover, affirmative comments 
from investor-related groups suggested that the required disclosures 
reflect the specific information that investors will find useful.
    One commenter asserted that the proposal provided no evidence that 
audit committees are deficient in obtaining relevant information for 
purposes of selecting and retaining auditors. However, the proposal did 
not claim that audit committees are deficient in obtaining relevant 
information for purposes of their auditor selection and retention 
decisions. Another commenter asserted that the economic analysis in the 
proposal appeared to be inappropriately based on a premise that audit 
committees do not currently receive information that they require to 
fulfill their fiduciary responsibilities. However, the proposal did not 
claim that audit committees do not currently receive information that 
they require to fulfill their fiduciary responsibilities and was not 
based on this premise. In contrast, the proposal explicitly stated that 
audit committees can request and receive firm information directly from 
their incumbent auditors and tendering firms, even though the 
information lacks standardization. The proposal also explicitly stated 
that the potential benefits of better-informed selection decisions and 
monitoring will be reduced to the extent that audit committees request 
and receive firm information via ad hoc requests from incumbent or 
tendering firms.
b. Evidence of Persistent Opacity
    As described in a section above, the Board collects supplemental 
information through the PCAOB inspection process. Investors cannot use 
the information in their decision-making because the information is not 
publicly disclosed as part of that process. However, some of the 
information could be useful to inform investors' views of firms.
    Two sources suggest that some of the supplemental information 
collected through the inspection process, and required for disclosure, 
will be useful to investors. First, the ACAP Final Report \169\ 
recommends, based in part on investor support, that the PCAOB require 
each large firm to produce an annual report that includes disclosure of 
firm operating characteristics such as legal and network structure, 
governance, partner remuneration policies, and financial information, 
including audit fees, tax advisory fees, and consulting fees.\170\ 
Moreover, the report recommends that the PCAOB determine which of the 
characteristics should be required in annual reports of smaller firms, 
taking into account firm resources.\171\ Second, as described in the 
Background and Key Considerations section, investor-related groups have 
more recently invoked the ACAP Final Report and suggested that certain 
firms be required to disclose information regarding firm operating 
characteristics, such as annual audited financial statements or 
information about firm governance, leadership, and structure.\172\
---------------------------------------------------------------------------

    \169\ The ACAP included investor leaders among other leaders and 
was focused on strengthening the audit profession for investor 
protection. The ACAP considered issues affecting the sustainability 
of the auditing profession, including human capital, firm structure 
and finances, and audit market concentration and competition. Most 
closely related to this rule, the ACAP Final Report recognized on 
behalf of investors and the public that disclosure of certain firm 
operating characteristics, including financial and governance 
information, affect how the firm functions. See ACAP Final Report, 
at II.2, II.4.
    \170\ See ACAP Final Report, at VII.21.
    \171\ See ACAP Final Report, at VII.23.
    \172\ See, e.g., PCAOB Investor Advisory Group Meeting (June 8, 
2022) (suggesting that unimplemented ACAP recommendations be 
implemented, including information regarding firm governance, 
leadership, and structure); PCAOB Investor Advisory Group Meeting 
(Oct. 27, 2016) (discussing the status of ACAP recommendations, 
including large firm provision of financial statements); Comment No. 
35 from the Council of Institutional Investors (Mar. 19, 2020), 
Rulemaking Docket 046: Quality Control, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/035_cii.pdf?sfvrsn=5ade7257_0, at 7 (suggesting that 
certain firms be required to provide annual audited financial 
statements and information about firm governance).
---------------------------------------------------------------------------

    One commenter noted that the Financial Stability Oversight Council 
(FSOC) was created several years after issuance of the ACAP Final 
Report, and that recommendations in the ACAP Final Report for the PCAOB 
to collect information from firms and monitor financial stability or 
catastrophic risk need to be reconsidered and recalibrated through the 
lens of subsequent events. The Board agrees with the commenter, and the 
reporting requirements in the final rule have been developed based on 
periodic public feedback from stakeholders, as noted above, including 
public comments received in response to the proposal, since the ACAP 
Final Report was issued.
    One commenter asserted that the proposal seemed to rely on 
conjecture or assumptions without a broad swath of audit committee or 
investor input requesting such information. The commenter reported 
results of a survey of 100 institutional investors \173\ and a survey 
of 242 audit committee members \174\ that reference the Firm and 
Engagement Metrics proposal and the Firm Reporting proposal as context 
to gather perspectives from each stakeholder group regarding the use of 
standardized firm and engagement information when selecting and 
monitoring the audit firm.
---------------------------------------------------------------------------

    \173\ See CAQ Investor Survey.
    \174\ See CAQ Audit Committee Survey.
---------------------------------------------------------------------------

    The survey of 100 institutional investor respondents asked about 
respondents' opinions regarding the board of director's and the audit 
committee's knowledge to select an audit firm.\175\ The results showed 
that: (i) 40 percent of respondents strongly agreed and 44 percent 
agreed that boards of directors and audit committees should consider 
some standard information about auditors when selecting a firm but 
ultimately rely on their unique needs and knowledge of the company and 
its industry; (ii) 37 percent of respondents strongly agreed and 51 
percent agreed that boards of directors and audit committees are best 
suited to determine the specific criteria for auditor selection based 
on their unique business experience and knowledge of the company and 
its industry; (iii) 34 percent of respondents strongly agreed and 47 
percent agreed that mandatory and standardized firm and engagement 
metrics are necessary for company management and audit committees to 
uphold fiduciary responsibilities to shareholders; and (iv) 30 percent 
strongly agreed and 39 percent agreed that boards of directors and 
audit committees lack access to the information they need to make an

[[Page 96757]]

informed decision about selecting an audit firm. Thus, while a majority 
of institutional investors surveyed agree or strongly agree that boards 
of directors and audit committees have the knowledge necessary to 
select an audit firm, a majority also agree or strongly agree that some 
mandatory, standardized firm information is necessary for company 
management, boards of directors, and audit committees to uphold their 
fiduciary responsibilities and to make informed decisions regarding 
audit firm selection.
---------------------------------------------------------------------------

    \175\ See CAQ Investor Survey. The survey question asked, ``How 
strongly do you agree or disagree with the following statements 
about mandated disclosures of firm and engagement-level metrics?''
---------------------------------------------------------------------------

    The survey of 242 audit committee member respondents asked about 
respondents' opinions regarding the board of director's and the audit 
committee's knowledge to select an audit firm.\176\ The results showed 
that: (i) 59 percent of respondents feel that boards of directors and 
audit committees should consider some standard information about 
auditors when selecting a firm and performing oversight 
responsibilities but ultimately rely on their unique needs and 
knowledge of the company and its industry; (ii) 40 percent of 
respondents feel that boards of directors and audit committees are best 
suited to determine the specific criteria for auditor selection and 
oversight based on their unique business experience and knowledge of 
the company and its industry; and (iii) 1 percent of respondents feel 
that boards of directors and audit committees should defer to 
standardized metrics about auditor performance when selecting and 
overseeing their auditor. Thus, while a majority of audit committee 
members surveyed agree that boards of directors and audit committees 
have the knowledge necessary to select an audit firm, a majority also 
agree that boards of directors and audit committees should consider 
some standard information about the audit firm. While the last response 
appears to identify performance metrics, the Board agrees with the 
general sentiment of the response that boards of directors and audit 
committees should not defer solely to standardized metrics, including 
firm operating characteristics, when selecting and overseeing the audit 
firm. However, the Board continues to believe that the public 
availability of some firm operating characteristics will enhance the 
information environment for investors and audit committees and that 
standardized information will reduce the time audit committees spend 
gathering information.
---------------------------------------------------------------------------

    \176\ See CAQ Audit Committee Survey. The survey question asked, 
``Which of the following statements most closely matches your 
opinion about the corporate board's responsibility to select and 
appoint an auditor?''
---------------------------------------------------------------------------

    The survey of 242 audit committee member respondents also found 
that 59 percent of respondents feel that the information available to 
audit committees to fulfill their audit oversight responsibilities and 
assess the quality of their external auditor at both a firm and 
engagement level meets all of the audit committee member's needs.\177\ 
In addition, 36 percent of audit committee member respondents feel that 
the information meets most of the member's needs, 4 percent feel that 
the information meets some of member's needs, 1 percent feel that the 
information does not meet some of the member's needs, and none feel 
that the information does not meet most of the member's needs.\178\ Of 
the 99 audit committee members who answered that the information does 
not meet all of the member's needs, 15 percent indicated they want 
additional information about the audit firm, and 8 percent indicated 
they want additional information about other audit firms.\179\ While 
these results suggest that the vast majority of audit committee member 
respondents feel they have sufficient information regarding audit 
firms, the former result (i.e., 15 percent) suggests that those audit 
committee member respondents feel that they may lack complete 
information to fulfill their audit oversight responsibilities and 
assess the quality of their external auditor, and the latter result 
(i.e., 8 percent) suggests that those audit committee member 
respondents feel that they may lack information to be able to 
efficiently and effectively evaluate the characteristics of a candidate 
firm against those of peer firms.
---------------------------------------------------------------------------

    \177\ See CAQ Audit Committee Survey. The survey question asked, 
``What is your opinion on the information available to you to 
fulfill your audit oversight responsibilities and assess the quality 
of your external auditor at both a firm and engagement level?''
    \178\ See CAQ Audit Committee Survey.
    \179\ See CAQ Audit Committee Survey. The survey question asked, 
``What are the top three areas in which you want additional 
information about your individual audit engagement(s)?''
---------------------------------------------------------------------------

ii. Lack of Sufficient Incentives To Develop a System of Voluntary 
Disclosures Regarding Firm Information
    The market does not provide audit firms with sufficient incentives 
to develop an efficient and effective system of standardized voluntary 
disclosures regarding firm operating characteristics. If market forces 
do not provide sufficient incentives, then economic theory suggests 
regulation may be necessary to generate changes in behavior.\180\ The 
Board considers supply-side and demand-side reasons that market forces 
do not provide sufficient incentives.
---------------------------------------------------------------------------

    \180\ See, e.g., Christian Leuz and Peter D. Wysocki, The 
Economics of Disclosure and Financial Reporting Regulation: Evidence 
and Suggestions for Future Research, 54 Journal of Accounting 
Research 525 (2016); Anat R. Admati and Paul Pfleiderer, Forcing 
Firms to Talk: Financial Disclosure Regulation and Externalities, 13 
The Review of Financial Studies 479 (2000); Ronald A. Dye, Mandatory 
Versus Voluntary Disclosures: The Cases of Financial and Real 
Externalities, 65 The Accounting Review 1 (1990); John C. Coffee, 
Jr., Market Failure and the Economic Case for a Mandatory Disclosure 
System, 70 Virginia Law Review 717 (1984).
---------------------------------------------------------------------------

a. Supply-Side Reasons
    Economic theory suggests that high-quality companies have an 
incentive to voluntarily disclose information to the extent it allows 
them to differentiate themselves from low-quality competitors.\181\ 
However, there are countervailing forces that limit firms' incentives 
to develop a system of standardized voluntary disclosures.
---------------------------------------------------------------------------

    \181\ See, e.g., W. Kip Viscusi, A Note on ``Lemons'' Markets 
with Quality Certification, 9 The Bell Journal of Economics 277 
(1978).
---------------------------------------------------------------------------

    Firms would incur private coordination costs, such as costs 
associated with collectively developing and monitoring compliance with 
a system of standardized voluntary disclosures. If regulation makes the 
information available in a standardized manner, then the coordination 
costs would instead be covered by the regulator. Firms may also be 
deterred by private competitive costs they could incur, such as costs 
associated with competitors leveraging disclosed information to capture 
market share.\182\ There could also be a status quo bias whereby firms 
prefer to continue a non-disclosure policy despite investors' calls for 
additional information.\183\
---------------------------------------------------------------------------

    \182\ See, e.g., Philip G. Berger, Jung Ho Choi, and Sorabh 
Tomar, Breaking it Down: Economic Consequences of Disaggregated Cost 
Disclosures, 70 Management Science 1374 (2024) (finding that after a 
Korean rule change that allowed companies to withhold a previously 
mandated disaggregation of cost of sales in their income statements, 
companies' profitability increased because withholding information 
reduced the transfer of competitive information to peer companies); 
Oliver Board, Competition and Disclosure, 57 The Journal of 
Industrial Economics 197 (2009) (finding that companies may be 
reluctant to voluntarily disclose in competitive markets); Daniel A. 
Bens, Philip G. Berger, and Steven J. Monahan, Discretionary 
Disclosure in Financial Reporting: An Examination Comparing Internal 
Firm Data to Externally Reported Segment Data, 86 The Accounting 
Review 417 (2011) (finding that companies provide fewer pseudo-
segment disclosures due to proprietary costs or competitive 
concerns).
    \183\ There are a variety of reasons why individuals may choose 
the status quo outcome in lieu of an unknown outcome, including 
aversion to the uncertainty inherent in moving from the status quo 
to another option. See, e.g., William Samuelson and Richard 
Zeckhauser, Status Quo Bias in Decision Making, 1 Journal of Risk 
and Uncertainty 7 (1988).

---------------------------------------------------------------------------

[[Page 96758]]

    There is also a positive externality associated with the 
availability of firm information, such as certain governance 
information.\184\ Standardized disclosures across firms and over time 
would provide benefits to a variety of investors, including current 
shareholders, potential future shareholders, and investors in other 
companies. However, firms do not negotiate with all of these parties, 
and some beneficiaries of the disclosures may have no influence over 
the firm at all. Economic theory suggests that, in the presence of 
positive externalities, markets may undersupply goods or services 
absent any regulatory intervention.\185\ As a result, the positive 
externality may create a risk that the firm would not provide complete 
information to the market because the firm would not consider the 
benefits that accrue to all investors.
---------------------------------------------------------------------------

    \184\ See, e.g., N. Gregory Mankiw, Principles of Economics 200, 
201 (6th ed. 2008) (``In the presence of a positive externality, the 
social value of the good exceeds the private value. The optimal 
quantity is therefore larger than the equilibrium quantity . . . 
Positive externalities lead markets to produce a smaller quantity 
than is socially desirable.'').
    \185\ See, e.g., Mankiw, Principles of Economics 200, 201.
---------------------------------------------------------------------------

    In addition, investors lack a mechanism to independently validate 
the information. This information asymmetry creates a risk that the 
firm could provide inaccurate information.\186\ Firms may further be 
inclined to offer voluntary disclosures for marketing purposes because 
the disclosures would not be subject to the regulatory review and 
enforcement that accompanies mandatory disclosures, which could have 
implications for the overall relevance and quality of the information. 
Likewise, firms may have incentives to withhold certain information, 
such as negative information, if the firms perceive that disclosure may 
damage their reputation or commercial prospects.\187\ Thus, voluntary 
disclosure cmay result in an inefficient disclosure of information to 
the market and reduce the utility of the information to investors, so 
much so that a market could fail to exist.\188\ Enforcement mechanisms 
that are available to regulators could be used to ensure the 
completeness and accuracy of firm information under a mandatory 
reporting framework.
---------------------------------------------------------------------------

    \186\ See, e.g., Mankiw, Principles of Economics 468 (``A 
difference in access to relevant knowledge is called an information 
asymmetry.'').
    \187\ See, e.g., Eli Amir, Shai Levi, and Tsafrir Livne, Do 
Firms Underreport Information on Cyberattacks? Evidence from Capital 
Markets, 23 Review of Accounting Studies 1177 (2018) (concluding 
that mangers voluntarily disclose less severe cyberattacks and 
withhold information from investors regarding cyberattacks that 
cause greater damage).
    \188\ See, e.g., George A. Akerlof, The Market for ``Lemons'': 
Quality Uncertainty and the Market Mechanism, 84 The Quarterly 
Journal of Economics 488 (1970) (discussing how low-quality cars may 
drive out high-quality cars from the used car market).
---------------------------------------------------------------------------

b. Demand-Side Reasons
    Investors do not directly contract with audit firms and, thus, 
generally lack bargaining power to request and receive information from 
the firm. Moreover, gathering standardized information regarding peer 
firms' operating characteristics would incur significant private costs 
because that information is also non-public. While investors could seek 
to acquire information regarding firm characteristics from the company 
under audit, a free-rider problem exists in which the costs incurred by 
one or more investors to convince the company to provide such 
information would not be shared by all other investors.\189\ However, 
all other investors would benefit from the required public disclosure 
of that information because the information would likely need to be 
publicly disclosed.\190\ Since the investors who incur the costs would 
not reap the exclusive benefit of their efforts, their incentive to 
make the effort is lower, and the likelihood of an under-provision of 
the information by firms is higher.
---------------------------------------------------------------------------

    \189\ See Mankiw, Principles of Economics 220, 222 (``A free 
rider is a person who receives the benefit of a good but avoids 
paying for it . . . A free-rider problem arises when the number of 
beneficiaries is large and exclusion of any one of them is 
impossible.'').
    \190\ See Regulation Fair Disclosure, 17 CFR 243.100(b)(1)(iv).
---------------------------------------------------------------------------

    As discussed above, audit committees are already privy to certain 
information about their auditors beyond what is publicly available. 
However, even if the audit committee requests information and the 
information is provided by the firm, the information would be with 
respect to that firm alone and could lack consistency and comparability 
with peer firms. Audit committees could also conceivably request and 
receive information from all tendering firms but obtaining standardized 
information would be burdensome. Thus, without mandatory disclosure, 
audit committees also lack context to be able to efficiently and 
effectively evaluate the characteristics of a candidate firm against 
those of peer firms.\191\
---------------------------------------------------------------------------

    \191\ As noted above, the CAQ Audit Committee Survey indicated 
that approximately 15 out of 99 audit committee member respondents 
indicated they want additional information about the audit firm, and 
8 indicated they want additional information about other audit 
firms.
---------------------------------------------------------------------------

c. Evidence of Ineffective Voluntary Disclosures by Firms
    As described above, some audit firms disclose certain firm 
information through voluntary transparency reports. While firms that 
provide voluntary transparency reports are generally larger firms, many 
smaller firms do not release such reports. Extant academic literature 
provides mixed evidence as to whether transparency reports are an 
effective tool for conveying informative disclosures regarding audit 
quality.\192\ Some research also finds that, because the information 
contained in transparency reports is relatively unregulated, the 
disclosures and contextual discussion lack standardization across firms 
or even within firms.\193\ A lack of standardization means that the 
disclosures have limited comparative value, inhibiting their usefulness 
to investors and audit committees.\194\ In addition, the UK Financial 
Reporting Council has concluded that transparency reports, as they 
currently exist, are not an effective means of disclosure.\195\
---------------------------------------------------------------------------

    \192\ See, e.g., Rogier Deumes, Caren Schelleman, Heidi Vander 
Bauwhede, and Ann Vanstraelen, Audit Firm Governance: Do 
Transparency Reports Reveal Audit Quality?, 31 Auditing: A Journal 
of Practice & Theory 193, 207-208 (2012) (concluding that current 
transparency report disclosures required in the European Union do 
not appear to reveal underlying audit firm quality); Shireenjit K. 
Johl, Mohammad Badrul Muttakin, Dessalegn Getie Mihret, Samuel 
Cheung, and Nathan Gioffre, Audit Firm Transparency Disclosures and 
Audit Quality, 25 International Journal of Auditing 508 (2021) 
(finding for Australian firms a positive association between 
governance disclosures and audit quality for large firms but no 
statistical association for medium and smaller firms).
    \193\ See, e.g., Sakshi Girdhar and Kim Klarskov Jeppesen, 
Practice Variation in Big-4 Transparency Reports, 31 Accounting, 
Auditing & Accountability Journal 261 (2018) (finding that the 
content of transparency reports is inconsistent and the transparency 
reporting practice is not uniform within large-firm networks).
    \194\ Similar economic outcomes exist for comparability in 
financial disclosures, suggesting there may be inherent value and 
information efficiency benefits generated under uniform disclosure 
regimes. See, e.g., Bingyi Chen, Ahmet C. Kurt, and Irene Guannan 
Wang, Accounting Comparability and the Value Relevance of Earnings 
and Book Value, 31 Journal of Corporate Accounting & Finance 82 
(2020).
    \195\ See, e.g., Financial Reporting Council, Transparency 
Reporting: AQR Thematic Review (Sep. 2019) (finding that surveyed 
investors and audit committee chairs are either unaware of or 
perceive limited use in audit firm transparency reporting in the 
UK).
---------------------------------------------------------------------------

    One commenter asserted that the studies cited likely include 
outdated information because transparency reporting has improved over 
the past few years and urged the Board to consider more recent 
transparency reports to evaluate the value of

[[Page 96759]]

information that is already publicly available. Another commenter noted 
that firms have invested significant efforts and resources to provide 
transparency through transparency reports and audit quality reports. 
The commenter cited comments made by investor representatives that 
suggest that certain investors and investor-related groups calling for 
additional audit firm reporting were unaware of the qualitative and 
quantitative information firms are already providing.\196\ The 
commenter suggested that the proposal did not clarify whether there are 
information gaps in current transparency reports or audit quality 
reports. The commenter further suggested that the PCAOB's rulemaking 
should be informed through an in-depth analysis of information that is 
currently provided in firms' transparency reports and audit quality 
reports and further multi-stakeholder input on the content included or 
omitted from firms' transparency reports and audit quality reports.
---------------------------------------------------------------------------

    \196\ See, e.g., PCAOB Standards and Emerging Issues Advisory 
Group Meeting (Nov. 2, 2022) (suggesting that investors do not read 
firm-level reports or know the reports exist because the reports do 
not provide enough quantitative information that facilitates 
investors' efforts to measure audit quality across firms).
---------------------------------------------------------------------------

    While the Board notes that the comments made by investor 
representatives regarding investors' awareness of information that 
firms are already providing were made in the context of firm and 
engagement metrics, rather than the Firm Reporting rule, the Board also 
notes that firms' transparency reports and audit quality reports do 
contain some content that is related to the Firm Reporting rule. As 
explained in the proposal and in this release, the PCAOB staff 
considered the most recent transparency reports of the largest audit 
firms. The PCAOB staff reviewed the transparency reports and the audit 
quality reports of the six largest firms with the scope of the Firm 
Reporting rule in mind. The content of the reports includes some 
information that is within scope of the Firm Reporting rule, such as 
high-level summaries of revenue and general information regarding 
governance and legal structure, networks, and quality control policies 
and procedures. However, the transparency reports and audit quality 
reports lack specificity for each of the Firm Reporting disclosure 
areas and, thus, lack standardization and comparability across audit 
firms because of their voluntary nature and lack of coordination across 
firms. In addition, the content of some transparency reports and audit 
quality reports is not as concise as Form 2 required disclosures and 
includes information that is not within scope of the Firm Reporting 
rule--such as human capital investments, independence policies, ethics 
principles, and PCAOB inspection summaries--and are thus not as focused 
as Form 2 required disclosures.
iii. Statutory Oversight
    PCAOB staff experience indicates instances of incomplete, 
imperfect, or untimely information--i.e., information that is not 
requested, not reported, or reported inaccurately, inconsistently or 
without sufficient detail--regarding certain events at firms, which 
could impair the Board's ability to perform its statutory oversight 
function as it relates to emerging risks associated with the events. 
The following paragraphs discuss four instances of incomplete, 
imperfect, or untimely information.
    First, voluntary ad hoc reporting by firms to the PCAOB indicates 
that the current PCAOB reporting framework lacks specificity regarding 
certain events, such as financial constraints, mergers, or changes in 
governance. In some cases, such as insolvency or market consolidation, 
certain events could have implications for audit quality or the audit 
market.\197\ In addition, certain events could affect a company's 
relationship with the audit firm, such as changes in the firm's 
ownership or arrangements with third parties that could impact the 
quality of the firm's provision of audit services. For example, private 
equity investment in a firm could have implications for the firm's 
independence, the approach the firm takes for making decisions, or the 
allocation of resources to the firm's provision of audit services.\198\ 
As a result, the Board may not have a complete picture of the firm's 
incentives or constraints, which could potentially negatively affect 
audit quality or the audit market.
---------------------------------------------------------------------------

    \197\ See, e.g., Joseph Gerakos and Chad Syverson, Competition 
in the Audit Market: Policy Implications, 53 Journal of Accounting 
Research 725 (2015) (finding evidence that the exit of any of the 
largest firms would result in a loss of welfare and an increase in 
audit fees for public companies). One commenter affirmed that this 
finding relates to the largest firms and asserted that the finding 
therefore does not justify requiring all registered firms to provide 
the information. The Board agrees that the finding relates to the 
largest firms and that the study is cited as a single example of an 
event that could have implications for audit quality or the audit 
market. Examples of other events, such as private equity investment 
in an audit firm, which is subsequently noted, are relevant for more 
than just the largest firms.
    \198\ See, e.g., Andrew Kenney, Private Equity Eyes Accounting 
Firms Large and Small, Journal of Accountancy (Feb. 1, 2023) 
(explaining that private equity investment could have implications 
for firm independence, decision-making processes, and use of 
technology and other resources); Jonathan Levin and Steven Tadelis, 
Profit Sharing and the Role of Professional Partnerships, 120 The 
Quarterly Journal of Economics 131, 163 (2005) (providing a 
theoretical model that demonstrates that in markets where clients of 
professional service providers cannot observe quality, partnerships 
emerge as a desirable form of organization because hiring is more 
selective than in profit-maximizing corporations).
---------------------------------------------------------------------------

    Second, without special reporting specified for significant 
cybersecurity incidents, the Board may not be timely notified of 
incidents that could impact audit quality or the audit market.\199\ The 
consequences of a significant cybersecurity incident at an audit firm 
include inadvertent exposure of companies' confidential data that could 
lead to inappropriate use of the data by third parties or malicious 
actors.\200\
---------------------------------------------------------------------------

    \199\ While U.S. states generally have laws regarding companies' 
obligations to notify individuals of cybersecurity incidents related 
to personal data, the Board is not aware of similar requirements for 
business data. For a summary of states' notification laws, see, 
e.g., National Conference of State Legislatures, available at 
https://www.ncsl.org/technology-and-communication/security-breach-notification-laws.
    \200\ See, e.g., Vernon J. Richardson, Rodney E. Smith, and 
Marcia Weidenmier Watson, Much Ado about Nothing: The (Lack of) 
Economic Impact of Data Privacy Breaches, 33 Journal of Information 
Systems 227, 249 (2019) (finding that the costs of a data breach at 
a target company can spill over from the initial target to 
individuals and economically linked companies).
---------------------------------------------------------------------------

    Third, without confidential reporting of the largest firms' 
financial statements, including revenue and operating income delineated 
by service line, the Board may not have information readily available 
to assess a firm's wherewithal to withstand risks associated with 
events such as court judgments against the firm that could affect audit 
quality or threats to global networks or other affiliates that may 
require the firm's support and could affect the provision of audit 
services.\201\ Without financial statements, the Board also misses 
potential opportunities to understand a firm's financial condition or 
financial results that may affect audit quality or the provision of 
audit services.
---------------------------------------------------------------------------

    \201\ See, e.g., Eric L. Talley, Cataclysmic Liability Risk 
Among Big Four Auditors, 106 Columbia Law Review 1641 (2006) 
(concluding that in the wake of the Arthur Anderson collapse it is 
theoretically possible that, under certain conditions, legal 
liability could lead to widespread audit industry breakdown, and 
that even though the empirical pattern of liability exposure around 
the time of the Arthur Anderson collapse did not appear to be the 
type that could imperil the entire profession, the future risk of 
another large firm exiting the market due to legal liability (and 
ultimately impacting audit quality) appeared to be more than 
trivial).
---------------------------------------------------------------------------

    The proposal would have required the largest firms to compile 
financial statements in accordance with an applicable financial 
reporting framework. Investor-related groups

[[Page 96760]]

affirmed the need for the largest firms to report their financial 
statements, compiled in accordance with an applicable financial 
reporting framework. Investor-related groups noted that, for more than 
a dozen years, audit firms in some jurisdictions have publicly issued 
annual reports containing audited financial statements compiled in 
accordance with an applicable financial reporting framework.\202\ One 
commenter suggested the PCAOB should closely monitor the financial 
stability of each of the largest audit firms. Several commenters 
questioned the need for compiling financial statements in accordance 
with an applicable financial reporting framework. One commenter said 
that the proposal did not explain why non-GAAP financial statements are 
inadequate. One commenter said that the proposal did not explain why 
GAAP financial statements are necessary, and other commenters stated 
that the proposal was unclear how obtaining a firm's financial 
statements facilitates the PCAOB's statutory oversight function. 
Another commenter asserted that the claim to need GAAP financial 
statements is not credible. Several commenters suggested that 
comparability achieved via an applicable financial reporting framework 
across audit firms' financial statements could likely be limited or is 
unlikely due to different sizes and operating structures among the 
firms. Some commenters suggested that financial statements presented in 
accordance with an applicable financial reporting framework may be 
inconsistent with how firms operate. Some commenters questioned the 
rationale for requiring firms to delineate by service line.
---------------------------------------------------------------------------

    \202\ See, e.g., PricewaterhouseCoopers LLP, UK Annual Report 
2023, Members' Report and Financial Statements for the Financial 
Year Ended 30 June 2023 (2023), available at https://www.pwc.co.uk/annualreport/assets/2023/pwc-uk-financial-statements-2023.pdf.
---------------------------------------------------------------------------

    As noted above, U.S. GNFs currently compile financial statements 
using a variety of frameworks that are generally accrual-based but not 
in accordance with an applicable financial reporting framework. In 
response to commenters' concerns regarding the Board's need for 
financial statements compiled in accordance with an applicable 
financial reporting framework, the Board has revised the requirement 
for financial statements to be compiled in accordance with an accrual 
basis of accounting rather than an applicable financial reporting 
framework. In addition, the Board has clarified the requirement to 
delineate, at a minimum, revenue and operating income by service line, 
which will enable the Board to understand the firm's audit practice in 
context with the firm's other lines of business as noted in the 
Discussion of the Reporting Updates section.
    Fourth, a 30-day filing deadline for material specified events is 
not consistent with the increased pace at which information is 
generated and consumed today, or with advances in automation and 
processing, given the gravity of material specified events. For 
example, if a determination has been made that there is substantial 
doubt about a firm's ability to continue as a going concern, a 30-day 
time lag may not provide the Board with sufficient notice for 
appropriate timely follow-up.
    The proposal included a provision that would have accelerated the 
filing deadline for existing specified events from 30 days to 14 days 
in addition to imposing a 14-day filing deadline for material specified 
events. Investor-related groups affirmed the need for a 14-day filing 
deadline. Several commenters questioned the need for a filing deadline 
shorter than 30 days. One commenter asserted that the only 
justification provided for the shorter deadline is advances in 
automation and processing. One firm commenter affirmed that advances in 
automation and processing are useful to alert firms to events requiring 
disclosure and noted that the subsequent evaluation of an event is 
intensely manual. The commenter affirmed that a 14-day filing deadline 
may be feasible for some events but expressed concern that acceleration 
will result in errors in Form 3 reporting. Some firms said that 
automation is not a sufficient reason for a shorter filing deadline 
because subsequent analysis and evaluation are required after an event 
is identified, which may require manual internal and external advising 
to investigate and conclude on an event. One commenter asserted that a 
14-day filing deadline will not be sufficient because several people 
are involved in the process to identify, analyze, and report an event. 
Some commenters expressed concern that a 14-day filing deadline may not 
be sufficient for foreign firms because they often need to obtain legal 
advice about whether an event qualifies for reporting on Form 3. One 
GNF commenter noted that more than 70 percent of the Form 3 filings by 
foreign firms in the firm's network relate to legal proceedings 
required by Part IV (Certain Proceedings) of Form 3. One commenter 
noted that a 14-day filing deadline may not be sufficient for smaller 
firms because they have fewer legal and other resources. One firm 
commenter supported timely reporting of specified events but questioned 
if there is evidence indicating that the 30-day timeline was 
insufficient or detrimental. A few other commenters also questioned 
whether there is evidence to suggest there is a need to shorten the 
filing deadline from 30 days to 14 days.
    While commenters focused on limitations of advances in automation 
and processing, the proposal and this section of the release explain 
that the need for a shorter filing deadline also arises from the 
increased pace at which information is generated and consumed today. 
For example, the Board has become aware of events at firms through 
means other than Form 3 prior to the 30-day filing deadline. In 
addition, some firms have demonstrated an ability to file Form 3 within 
a 14-day period as explained above. Nevertheless, as explained in 
Discussion of the Reporting Updates section, the final rule applies the 
14-day filing deadline only to material specified events, rather than 
to all Form 3 specified events. Moreover, the decision to limit the 
reporting requirements for material specified events to annually 
inspected firms will reduce the number of firms subject to the shorter 
filing deadline for those events.
2. How the Final Rule Addresses the Need
i. Investors and Audit Committees
    The final rule enhances transparency of audit firms by mandating 
public disclosure of firm information--including financial, governance, 
network, and cybersecurity characteristics--relating to the firm's 
capacity, incentives, and constraints to provide quality audit 
services. The final rule thus reduces frictions in the information 
market discussed above and thereby enhances: (i) audit committees' 
abilities to efficiently and effectively compare firms in their 
appointment and monitoring efforts and (ii) investors' abilities to 
efficiently and effectively compare firms in their decisions to vote on 
ratification proposals and allocate capital. The final rule requires 
firms to report standardized information using PCAOB structured forms, 
further promoting consistency across firms and over time. Collecting 
standardized information will enhance the usefulness of the information 
to investors and audit committees by allowing them to more easily 
compare firms.
ii. Statutory Oversight
    The final rule enhances the effectiveness of the Board's statutory 
oversight related to audit firms and the

[[Page 96761]]

audit market by reducing the extent of incomplete or imperfect 
information in the current PCAOB reporting framework. The required 
disclosures and confidential reporting will replace similar information 
currently collected on a supplemental basis or received on a voluntary 
ad hoc basis by the PCAOB. However, PCAOB supplemental data collection 
will still be necessary to the extent that any relevant information 
that supports statutory oversight is not included in the reporting 
requirements.
Economic Impacts
    This section discusses the expected benefits and costs of the final 
rule and potential unintended consequences. Several commenters said 
that the economic analysis does not sufficiently analyze whether the 
benefits outweigh the costs of the reporting requirements. However, the 
commenters did not suggest a data source or methodology that allows for 
a quantitative analysis of all benefits and costs. Investor-related 
groups asserted that they believe the economic benefits of the proposal 
exceed the costs. In contrast, several commenters asserted that they 
believe the economic benefits of the proposal or certain reporting 
requirements in the proposal do not outweigh the costs. In both cases, 
commenters did not provide quantification of benefits or costs to 
support their beliefs regarding the relationship between benefits and 
costs. This economic analysis separately analyzes benefits and costs, 
and as stated above, the Board is not able to quantify all relevant 
benefits and costs due to data limitations.
    Several commenters suggested that the PCAOB should consider the 
cumulative effects of the reporting requirements in this rulemaking 
along with other rules and standards that have recently been proposed 
or adopted. One commenter reported results of a survey of audit 
committee member respondents in which 76 percent of 145 respondents 
indicated concern about the cumulative impact of PCAOB standard-setting 
and rulemaking on audit quality and 24 percent indicated no 
concern.\203\ One commenter asserted that clustering effective dates 
for multiple rules is unreasonable and unworkable. Consistent with 
long-standing practice based on PCAOB staff guidance for economic 
analysis,\204\ the Board's economic analysis for each rulemaking 
considers the incremental benefit and costs for a specific rule--i.e., 
the benefits and costs stemming from that rule compared with the 
baseline.\205\ There could be implementation activities for certain 
provisions of other PCAOB adopted and SEC approved rules and standards 
that overlap in time with implementation of the final Firm Reporting 
rule, which may impose costs on resource constrained firms affected by 
multiple rules. This may be particularly true for smaller and mid-sized 
firms with more limited resources. In determining effective dates and 
implementation periods, the Board considers the benefits of rules as 
well as the costs of delayed implementation periods and potential 
overlapping implementation periods. The Board also considers that in 
some cases, overlapping implementation periods may have benefits 
because firms will not need to revise or redo previous process or 
system changes where rules interact with each other. In addition, the 
Board has adopted phased implementation for smaller firms to give the 
firms more time to develop and implement the necessary tools to comply 
with the requirements.
---------------------------------------------------------------------------

    \203\ See CAQ Audit Committee Survey. The survey question asked, 
``Do you have concerns about the cumulative impact of PCAOB 
standard-setting and rulemaking on audit quality?''
    \204\ See PCAOB, Staff Guidance on Economic Analysis in PCAOB 
Standard-Setting (Feb. 14, 2014), available at https://pcaobus.org/oversight/standards/economic-analysis/05152014_guidance.
    \205\ Some commenters suggested that implementation of the final 
Firm Reporting rule should be postponed until post-implementation 
review (``PIR'') of other standards is complete. The Board has an 
established PIR program under which staff of the Office of Economic 
and Risk Analysis (``OERA'') conduct an analysis of the overall 
effect of new auditing requirements on key stakeholders in the audit 
process. In determining whether to conduct a PIR of a new or revised 
standard, staff consider the nature of the new standard, the 
feasibility of a PIR, and the potential utility to the Board. The 
Board expects that OERA staff will consider whether, based on these 
factors, a PIR may be warranted and, if so, OERA staff will 
recommend that the Board determine to conduct one. Based on these 
process considerations for PIRs, the Board decided that postponing 
implementation of the final Firm Reporting rule will not necessarily 
inform or improve the final Firm Reporting rule.
---------------------------------------------------------------------------

1. Benefits
    The required disclosures will enhance: (i) audit committees' 
abilities to efficiently and effectively compare firms in their 
appointment decisions and monitoring efforts and (ii) investors' 
abilities to efficiently and effectively compare firms in their 
ratification decisions and monitoring efforts and in their capital 
allocation decisions. The required disclosures could also provide 
indirect benefits linked to audit quality, financial reporting quality, 
capital market efficiency, and competition. In addition, the required 
disclosures and confidential reporting will enhance the effectiveness 
of the Board's statutory oversight function.
    In the following discussion, the Board discusses the direct 
benefits associated with enhancing the information environment 
regarding firm characteristics. The Board then discusses indirect 
benefits of the reporting changes. The Board then reviews academic 
literature related to the required disclosures. Throughout the 
discussion, The Board assumes that investors and audit committees will 
use the required disclosures based on their roles described above and 
that firms will report complete and accurate information based on the 
Form 2 and Form 3 certification requirements and the regulatory 
enforcement incentive.
i. Direct Benefits
    The required disclosures will enhance transparency and 
comparability of audit firms to support audit committee and investor 
decision-making. In addition, the reporting requirements will enhance 
the effectiveness of the Board's statutory oversight function. The 
Board notes that the benefits of comparable information have been 
observed in research regarding financial reporting.\206\ The Board also 
notes that the benefits of prior PCAOB disclosure rules vary by rule 
and analysis.\207\ Although there are differences between financial 
reporting disclosures and the required disclosures in this disclosure 
rule and between

[[Page 96762]]

prior PCAOB disclosure rules and this disclosure rule, the Board 
expects these findings are informative of the potential benefits of 
this rule because of the public availability of the required 
disclosures.
---------------------------------------------------------------------------

    \206\ See, e.g., Mark L. DeFond, Xuesong Hu, Mingyi Hung, and 
Siqi Li, The Impact of Mandatory IFRS Adoption on Foreign Mutual 
Fund Ownership: The Role of Comparability, 51 Journal of Accounting 
and Economics 240, 241 (2011) (finding that greater financial 
reporting comparability leads to greater investment).
    \207\ See, e.g., Interim Analysis Report: Further Evidence on 
the Initial Impact of Critical Audit Matter Requirements, PCAOB Rel. 
No. 2022-007 (Dec. 7, 2022), at 4 (suggesting that as of the 
analysis date investors may still be learning how to find value-
relevance in the information content of disclosed critical audit 
matters); PCAOB, Staff White Paper: Econometric Analysis on the 
Initial Implementation of CAM Requirements (Oct. 2020), at 4, 
available at https://pcaobus.org/EconomicAndRiskAnalysis/pir/Documents/Econometric-Analysis-Initial-Implementation-CAM-Requirements.pdf (discussing how PCAOB staff did not find systematic 
evidence that investors respond to the information contents in 
critical audit matters but nevertheless did find that some investors 
are reading critical audit matters and find the information 
beneficial); Kose John and Min Liu, Does the Disclosure of an Audit 
Engagement Partner's Name Improve the Audit Quality? A Difference-
in-difference Analysis, 14 Journal of Risk and Financial Management 
1 (2021) (suggesting that there was an increase in audit quality and 
audits costs as a result of PCAOB Rule 3211, Auditor Reporting of 
Certain Audit Participants); Lauren M. Cunningham, Chan Li, Sarah E. 
Stein, and Nicole S. Wright, What's in a Name? Initial Evidence of 
US Audit Partner Identification Using Difference-in-Differences 
Analyses, 94 The Accounting Review 139 (2019) (finding evidence that 
any immediate impact of PCAOB Rule 3211 on audit quality or audit 
fees is limited to specific dimensions of audit quality, specific 
control groups, and/or specific company characteristics).
---------------------------------------------------------------------------

    Several commenters expressed doubt about the comparability of the 
required disclosures. One firm commenter suggested that the qualitative 
and narrative nature of most of the required disclosures does not lend 
itself to meaningful comparisons. Another firm commenter suggested that 
audit firms vary significantly in size and structure, making it 
difficult to achieve meaningful comparisons. Another commenter, 
representing smaller firms, noted that an audit firm with a small 
issuer portfolio will be required to compile information regarding the 
firm's entire audit practice and questioned whether there will be any 
basis for comparison to other audit firms given the potentially 
significant differences in the makeup of the firm's audit practice. 
While the Board agrees that qualitative and narrative disclosures may 
pose some limitations on comparability, the Board believes that 
comparability even of qualitative and narrative disclosures is enhanced 
by standardized reporting requirements, especially to the extent that 
qualitative and narrative disclosures provide useful context for users. 
The Board also agrees that comparability may likely be most meaningful 
among firms of the same size class or among firms with similar sized 
issuer portfolios. However, the Board believes that differences among 
firms do not diminish meaningful comparisons but rather enable users to 
distinguish one firm from another.
a. Investors and Audit Committees
    The required disclosures will facilitate better-informed 
appointment decisions and monitoring by audit committees and better-
informed appointment ratification decisions and monitoring by investors 
because the disclosures will enhance audit firm transparency with a 
cost-effective source of standardized information across firms and over 
time. To the extent that firm operating characteristics provide 
investors and audit committees with information to assess a firm's 
capacity, incentives, and constraints, the required disclosures will 
serve as a potential resource for more reliable audit committee 
appointment of the firm and investor ratification of the appointment 
proposal.\208\ To the extent that firm characteristics change following 
a selection decision, the required disclosures will serve as a 
potential resource for more reliable periodic monitoring of the firm.
---------------------------------------------------------------------------

    \208\ See, e.g., Gene M. Grossman and Carl Shapiro, Informative 
Advertising with Differentiated Products, 51 The Review of Economic 
Studies 63 (1984) (finding that reduced information frictions can 
result in improved matching between sellers and buyers).
---------------------------------------------------------------------------

    Audit committees will benefit from the enhanced information by 
being enabled to more efficiently and effectively review and compare 
information from peer firms against information from incumbent and 
tendering firms. Investors will benefit by being enabled to more 
efficiently and effectively evaluate firms. Market participants that 
rely on proxy advisors will also likely benefit from the required 
disclosures as proxy advisors could use the information in their 
recommendations, which in turn could provide benefits to less-resourced 
investors.
    Mandatory standardized disclosure will enhance the effectiveness 
and efficiency of comparing firm characteristics across firms and over 
time. Form 2 provides standardized information with well-defined fields 
and a structured format that can be made conveniently available for 
access and use.\209\ Standardization of the required disclosures will 
decrease investors' and audit committees' search costs and monitoring 
costs.\210\ The public availability of the required information via 
disclosure could also lead the firm to more proactively consider and 
take actions regarding a company's stake in matters such as the firm's 
use and protection of the company's data.\211\
---------------------------------------------------------------------------

    \209\ See, e.g., Luigi Zingales, The Future of Securities 
Regulation, 47 Journal of Accounting Research 391, 395 (2009) 
(concluding that a more subtle benefit of disclosure regulation is 
the standardization it entails); Jeffrey R. Kling, Sendhil 
Mullainathan, Eldar Shafir, Lee C. Vermeulen, and Marian V. Wrobel, 
Comparison Friction: Experimental Evidence from Medicare Drug Plans, 
127 The Quarterly Journal of Economics 199 (2012) (finding that 
standardized information better enables individuals to assess 
tradeoffs and make coherent, rational decisions).
    \210\ See, e.g., Zingales, The Future of Securities Regulation 
395 (concluding that a company chooses a presentation format that is 
most favorable to the company's data, which impairs investors' 
ability to make comparisons across companies); Leuz and Wysocki, The 
Economics of Disclosure and Financial Reporting Regulation 525 
(explaining that the disclosure of operating performance and 
governance arrangements by public companies can lower the cost of 
monitoring by providing investors with useful benchmarks that help 
investors evaluate other companies' managerial efficiency or 
potential agency conflicts). The Board notes that these studies 
focus on company disclosures, the results of which may not 
generalize to audit firms.
    \211\ See, e.g., George Loewenstein, Cass R. Sunstein, and 
Russell Golman, Disclosure: Psychology Changes Everything, 6 Annual 
Review of Economics 391 (2014) (suggesting that the disclosure of 
information can have indirect effects that lead to changes in 
behavior).
---------------------------------------------------------------------------

    Three caveats could attenuate the potential benefits of better-
informed selection decisions and monitoring. First, the incremental 
benefits of the required disclosures for audit committees will be 
reduced to the extent that audit committees request and receive firm 
information via ad hoc requests from incumbent or tendering firms. 
However, by making the disclosures mandatory and standardized, the 
final rule will increase the accessibility and comparability of 
publicly available information regarding PCAOB-registered firms. For 
example, audit committees will be better able to compare an incumbent 
firm to peer firms.\212\ Second, the benefits of better-informed 
appointment decisions and monitoring could vary depending on the 
involvement and experience of audit committees. For example, more 
proactive audit committees with greater firm appointment and monitoring 
experience may be more likely to use the information than other audit 
committees. However, audit committees may come to appreciate the 
accessibility and comparability of the required disclosures through the 
iterative process of appointing and monitoring firms. Third, to the 
extent that benefits are derived from the ability to readily switch 
between firms, the benefits could be reduced by stickiness in existing 
firm-issuer relationships. In particular, large multinational issuers 
may, as a practical matter need a GNF, which limits the pool of 
available alternatives.\213\ Therefore, the benefits of better-informed 
selection decisions and monitoring could be reduced for the largest 
issuers.
---------------------------------------------------------------------------

    \212\ See, e.g., CAQ Barometer Report, at 15.
    \213\ See United States Government Accountability Office, 
Continued Concentration in Audit Market for Large Public Companies 
Does Not Call for Immediate Action (Jan. 8, 2008), at 21.
---------------------------------------------------------------------------

    In addition to assisting investors with their appointment 
ratification votes and monitoring an audit firm, the required 
disclosures will assist investors in monitoring and evaluating the 
audit committee. The audit committee is responsible for overseeing the 
firm and the required disclosures may assist investors in determining 
whether the audit committee is effective in this role (e.g., whether 
the audit committee continues to delay replacing a firm despite firm 
information that indicates insufficient capacity or poorly managed 
incentives and constraints). Enhanced investor monitoring of the audit

[[Page 96763]]

committee could improve audit committee effectiveness.\214\
---------------------------------------------------------------------------

    \214\ Some academic research suggests that audit committee 
effectiveness is associated with audit committee incentives. See, 
e.g., Jeffrey Cohen, Ganesh Krishnamoorthy, and Arnold M. Wright, 
The Corporate Governance Mosaic and Financial Reporting Quality, 23 
Journal of Accounting Literature 87 (2004) (concluding that personal 
ties and/or professional ties between the CEO and audit committee 
members can potentially impair members' objectivity). Some academic 
research suggests that investors are willing to pay for audit 
committee effectiveness and hold audit committees accountable for 
negative audit quality. See, e.g., Ellen Engel, Rachel M. Hayes, and 
Xue Wang, Audit Committee Compensation and the Demand for Monitoring 
of the Financial Reporting Process, 49 Journal of Accounting and 
Economics 136, 138 (2010) (suggesting a willingness by companies to 
deviate from the historically prevalent one-size-fits-all approach 
to director pay in response to increased demands on audit committees 
and differential director expertise); Suraj Srinivasan, Consequences 
of Financial Reporting Failure for Outside Directors: Evidence from 
Accounting Restatements and Audit Committee Members, 43 Journal of 
Accounting Research 291 (2005) (concluding that audit committee 
members bear reputational costs for financial reporting failure). 
Some academic research suggests that audit committee members without 
Big 4 audit experience are more likely to favor auditors that are 
rated as attractive. See, e.g., Matthew Baugh, Nicholas J. Hallman, 
and Steven J. Kachelmeier, A Matter of Appearances: How Does 
Auditing Expertise Benefit Audit Committees When Selecting 
Auditors?, 39 Contemporary Accounting Research 234 (2022) 
(concluding that auditing expertise mitigates the influence of 
superficial considerations in auditor selection, enabling audit 
committees to fulfill their stewardship role more effectively). 
Together, this research suggests that audit committee effectiveness 
could respond to improved investor monitoring. Other research 
suggests that audit committee effectiveness is positively associated 
with proxies for audit quality. See, e.g., Brian Bratten, Monika 
Causholli, and Valbona Sulcaj, Overseeing the External Audit 
Function: Evidence from Audit Committees' Reported Activities, 41 
Auditing: A Journal of Practice & Theory 1 (2022) (finding that the 
strength of audit committee oversight, as implied by audit committee 
disclosures, is positively associated with proxies for audit 
quality).
---------------------------------------------------------------------------

    Some of the required disclosures may not directly reflect a firm's 
capacity, incentives, and constraints. For example, stronger member 
networks may not directly translate to more technical resources for 
some firms or the composition of governing boards and management 
committees in some firms may not directly reflect accountability or its 
enforcement. One commenter affirmed this potential limitation and 
asserted that the reporting requirements do not provide insight into a 
firm's capacity, incentives, and constraints. However, the Board 
expects the required disclosures, either individually or taken together 
with other factors, to enhance the information environment for 
investors and audit committees. The relevance of the required 
disclosures to decision-making is evident in academic research. For 
example, academic research finds that certain audit firm 
characteristics--including firm size and financial situation, 
governance and network information, and insurance and litigation 
history--are used by insurance companies to assess the firm's risk 
exposure and set premiums.\215\
---------------------------------------------------------------------------

    \215\ See, e.g., Mark Linville and John Thornton, Litigation 
Risk Factors as Identified by Malpractice Insurance Carriers, 17 The 
Journal of Applied Business Research 93, 95 (2001) (finding that 
insurance companies request information regarding audit firm 
revenue, predecessor firms, types of services provided, location, 
independence, organizational form, related-party involvement, 
fiduciary responsibilities, professional sanctions, and insurance 
and litigation history); Minjung Kang, Ho-Young Lee, Vivek Mande, 
and Yong-Sang Woo, Audit Firm Attributes and Auditor Litigation 
Risk, 55 Abacus 639, 641 (2019) (finding that audit firms with 
operating losses, rapid revenue growth, or no separation between 
audit and non-audit practices pay higher liability insurance 
premiums, while firms with a high proportion of partners and higher 
growth in the number of CPAs employed pay lower insurance premiums).
---------------------------------------------------------------------------

    Investor-related groups said that the required disclosures will 
provide investors with information they currently do not have access to 
that can assist them in making more informed decisions about whether to 
vote to approve a proposal to ratify an audit firm or to elect or 
reelect an audit committee chair or members, or in exercising their 
responsibilities for oversight of an audit committee. One commenter 
expressed agreement that the required disclosures will be an effective 
means to allow investors and audit committees to evaluate registered 
firms and the public company audits they provide. Another commenter 
agreed that some of the required disclosures will provide information 
useful to audit committees for purposes of contracting with audit 
firms. One commenter reported results of a survey of audit committee 
member respondents in which 37 percent of 142 respondents indicated 
that the reporting requirements will be useful to the audit committee 
in exercising its oversight role and 63 percent of the respondents 
indicated the reporting requirements will not be useful.\216\
---------------------------------------------------------------------------

    \216\ See CAQ Audit Committee Survey. The survey question asked, 
``Are the proposed enhanced reporting requirements in the Firm 
Reporting proposal useful to the audit committee in exercising its 
oversight role?'' The Board notes that the survey results could vary 
based on any differences between the proposed disclosures and the 
adopted disclosures.
---------------------------------------------------------------------------

    Several firms or representatives of firms questioned the benefits 
associated with the required disclosures. One commenter asserted that 
the potential benefits of the reporting requirements are not adequately 
correlated with the required disclosures. One commenter noted that the 
potential direct benefits were presented with caveats indicating 
possible limitations to their usefulness. Another commenter said that 
the proposal fell short of identifying how the additional reporting 
requirements will produce useful and comparable results for investors 
and audit committees. One commenter asserted that there was a 
presumption in the proposal that more disclosure is generally 
beneficial but the presumption is unsubstantiated.
    While the Board continues to believe there are caveats and 
limitations regarding the potential benefits of the reporting 
requirements, evidence of the potential benefits is provided by 
academic research cited above and by comments from investor-related 
groups and surveys conducted of institutional investors and audit 
committee members discussed in this release. In addition, while the 
proposal and this release substantiate the benefits of the required 
disclosures, neither the proposal nor this release have presumed that 
more disclosure, other than the required disclosures, is generally 
beneficial. The Board also believes that the potential benefits of some 
of the required disclosures may vary across investors and audit 
committees. Comments from investor-related groups suggested that 
potential benefits associated with the required disclosures will be 
achieved through better informed decision-making and monitoring 
efforts. One commenter representing audit committee chairs suggested 
that audit committee chairs already receive or have access to most of 
the information that is being mandated, implying that audit committees 
will realize fewer benefits associated with the required disclosures, 
as suggested in the proposal. Another commenter suggested that the 
incremental benefit to audit committees from increased accessibility 
and comparability of publicly available information regarding PCAOB-
registered firms, as noted in the proposal, will be small.
    One commenter suggested that the Board should consider the benefits 
to stakeholders in the companies that smaller firms audit and further 
explore the benefits of the reporting requirements to stakeholders of 
smaller public companies as compared to the costs incurred by firms. 
While the Board separately analyzes costs that will be incurred by 
firms in a section below, the Board believes that the benefits 
described above will also accrue to investors of companies that smaller 
firms audit and investors of smaller public companies. If investors of 
companies that smaller firms audit or investors of smaller public 
companies face relatively higher information asymmetry with the audit 
firm and company management, the benefits

[[Page 96764]]

associated with the required disclosures could be incrementally higher. 
For example, to the extent that smaller public companies have fewer 
institutional investors or less experienced audit committee members, 
the benefits associated with the required disclosures assisting 
investors in smaller public companies with their ratification votes and 
monitoring the firm as well as monitoring and evaluating the audit 
committee could be incrementally higher than the benefits that will 
accrue to investors in larger public companies with relatively more 
institutional investors or more experienced audit committee members.
    One commenter suggested that not monitoring specific uses of Form 2 
and Form 3 compels the Board to rely on broad and unsubstantiated 
statements regarding benefits. Another commenter said that the proposal 
identified benefits from disclosure generally but did not clearly and 
consistently articulate how the required disclosures will reasonably 
achieve the benefits. The Board agrees that the potential benefits 
associated with the required disclosures are identified and discussed 
collectively as a whole or by area of disclosure. However, not 
monitoring investor and audit committee uses does not imply that 
investors and audit committees do not utilize current Form 2 and Form 3 
data or will not utilize the required disclosures. Results of the 
surveys conducted of institutional investors and audit committee 
members, and discussed in a section above, affirm that some 
institutional investor respondents, and audit committee member 
respondents to a much lesser extent, do utilize Form 2 and Form 3 
information available on the PCAOB website. Moreover, as noted above, 
comments received from investor-related groups and survey results of 
audit committee members affirmed the benefits of the required 
disclosures to both groups.
    One commenter asserted that the proposal did not provide evidence 
that the benefits will be achieved or that less expensive alternatives 
do not exist. However, in addition to evidence provided by academic 
research discussed in the proposal and by comments from investor-
related groups and surveys conducted of institutional investors and 
audit committee members discussed in this release, potentially less-
expensive alternatives to the reporting requirements were discussed in 
the proposal and are discussed below in this release. One commenter 
suggested it is unlikely that investors will gain any meaningful 
benefits based on the use of static, form-based reporting to collect 
and disseminate the information (e.g., reporting of required 
information on Form 2). Another commenter suggested that the current 
static PDF format for Form 2 and Form 3 can require readers to page 
through multiple pages to locate the specific information they are 
seeking and encouraged the Board to modernize the system to allow users 
to locate relevant information more quickly and easily. Another 
commenter encouraged the Board to consider improving the current PCAOB 
reporting system to facilitate the reporting of information and user 
access to the information. The Board agrees that the method of 
collecting and disseminating information facilitates user access to the 
information, and since the Firm Reporting rule focuses on the content 
of the required disclosures and confidential reporting rather than how 
the information is collected and disseminated, the Board focuses on the 
benefits associated with the decision-usefulness of the required 
disclosures rather than any benefits associated with how the 
information is collected and disseminated. Nevertheless, results of the 
surveys conducted of institutional investors and audit committee 
members, and discussed in a section above, affirm that institutional 
investor respondents, and audit committee member respondents to a 
lesser degree, do utilize Form 2 and Form 3 information available on 
the PCAOB website.
b. Statutory Oversight
    The required disclosures and confidential reporting will enhance 
the effectiveness of PCAOB's statutory oversight function and operating 
effectiveness. The required disclosures and confidential reporting will 
enable the Board to reduce supplemental information collection to the 
extent that the required reporting overlaps with supplemental 
information, but supplemental information collection will still be 
necessary for oversight purposes. Standardization of information will 
facilitate statutory oversight and will expedite Board efforts to 
identify regulatory tools and mechanisms in response to potential 
occasional disruptions in the timely issuance of audit opinions, for 
example, in the event of the failure of a large audit firm or other 
circumstances.\217\ Enhanced PCAOB oversight will benefit firms and 
investors through more effective use of inspection resources, more 
effective standard setting and rulemaking, and better-informed 
assessments of specified events.
---------------------------------------------------------------------------

    \217\ See, e.g., Temporary Final Rule and Final Rule: 
Requirements for Arthur Anderson LLP Auditing Clients, SEC Rel. No. 
33-8070 (Mar. 18, 2002).
---------------------------------------------------------------------------

    One commenter asserted that the proposal was unclear about what the 
PCAOB intends to do with the new information that will be reported. Two 
commenters asserted that the proposal provided no insights on how the 
PCAOB will use the information or how the data will inform the PCAOB's 
processes and activities. However, the proposal discussed and this 
release in the following paragraphs discuss PCAOB uses of the required 
disclosures and confidential reporting.
    Collecting the required disclosures on Form 2 annually, across 
firms, will support the PCAOB's efforts to enhance audit quality and 
protect investors by more effectively planning and scoping inspection 
selections.\218\ One commenter asserted that requiring the disclosures 
to be collected on Form 2 in order to facilitate effective inspection 
scoping and planning was a vague and insufficient basis for the 
reporting requirements because the PCAOB can continue to request 
information when inspection planning begins. The commenter further 
asserted that there is no indication or reason to believe that 
providing the information outside the inspection process further 
enhances audit quality. However, the section below explains that 
requiring disclosures outside the inspection process may indirectly 
enhance audit quality. The required disclosures on Form 2 will also 
enhance the PCAOB's ability to perform cross-sectional analyses and 
policy research, which could inform future standard setting and 
rulemaking. These planning, analyses, and research impacts will be 
limited by

[[Page 96765]]

the fact that some firms file Form 2 late or never and some do not sign 
an opinion or play a substantial role as demonstrated in Figure 1 for 
the 2023 filing year.
---------------------------------------------------------------------------

    \218\ See, e.g., Phillip T. Lamoreaux, Does PCAOB Inspection 
Access Improve Audit Quality? An Examination of Foreign Firms Listed 
in the United States, 61 Journal of Accounting and Economics 313 
(2016) (finding that auditors subject to PCAOB inspection access 
provide higher quality audits as measured by more going concern 
opinions, more reported material weaknesses, and less earnings 
management, relative to auditors not subject to PCAOB inspection 
access); Inder K. Khurana, Nathan G. Lundstrom, and K.K. Raman, 
PCAOB Inspections and the Differential Audit Quality Effect for Big 
4 Non-Big 4 US Auditors, 38 Contemporary Accounting Research 376 
(2021) (suggesting that initial PCAOB inspections improve audit 
quality more for the largest firms than for other annually inspected 
or triennially inspected firms); Albert L. Nagy, PCAOB Quality 
Control Inspection Reports and Auditor Reputation, 33 Auditing: A 
Journal of Practice & Theory 87 (2014) (concluding that public 
disclosure of PCAOB Part II inspection findings leads to a loss of 
the firm's market share and provides a credible signal of audit 
quality). The Board notes that the results from these studies that 
suggest a positive association between PCAOB oversight and audit 
quality do not necessarily mean that PCAOB oversight causes higher 
audit quality. These studies merely find positive associations 
between PCAOB oversight and audit quality.
---------------------------------------------------------------------------

    The required confidential reporting of material specified events 
and significant cybersecurity incidents on Form 3 and their timely 
filing deadlines will better position the Board to assess a material 
specified event or significant cybersecurity incident and share 
information in a timely manner with the Board's oversight authorities 
(i.e., SEC or Congress) to consider any response that may be 
warranted.\219\ One commenter asserted that it is unclear what 
immediate actions the PCAOB could take in response to an accelerated 
filing deadline. Another commenter suggested that it is unclear how the 
PCAOB will utilize certain required disclosures, and the commenter used 
insurance claims to illustrate there could be confidentiality concerns 
from the perspective of the insurance company. The commenter further 
asserted that the reporting requirements will mandate disclosure of a 
wide range of highly confidential information for an unclear purpose.
---------------------------------------------------------------------------

    \219\ For examples of events that the Board could potentially 
assess with more formalized and timely reporting, see, e.g., Mark 
Maurer, BDO to Establish Employee Stock Ownership Plan as Part of 
U.S. Restructuring, Wall Street Journal (Aug. 14, 2023); Kenney, 
Private Equity Eyes Accounting Firms Large and Small; Natalia M. 
Greene, Private Equity and Auditor Independence, Accounting Today 
(June 28, 2023).
---------------------------------------------------------------------------

    Beyond sharing information with the Board's oversight authorities, 
immediate actions, if any, will depend on the nature of the material 
specified event or significant cybersecurity incident. The PCAOB has 
resources to turn inspection activities toward emerging risks or 
events, and timely reporting by firms of material specified events or 
significant cybersecurity incidents could inform whether to utilize 
those resources. In addition, the required reporting for events that 
trigger material claims on insurance policies or other material 
specified events will be confidentially reported and not publicly 
disclosed. To the extent that firms are experiencing currently 
unspecified events that are relevant to effective statutory oversight 
but not reporting the events to PCAOB on a voluntary ad hoc basis, the 
firms may lack clarity about what is expected of them. By adding 
material specified events and significant cybersecurity incidents to 
Form 3, potential ambiguity will be mitigated, and the effectiveness of 
PCAOB oversight will be enhanced. Based on the additional coverage of 
material specified events and significant cybersecurity incidents, the 
Board anticipates that the numbers of Form 3 filed will likely increase 
relative to the counts reported in Figure 2 for the 2023 filing year. 
However, the increase in the numbers of filings related to material 
specified events will be bounded by the limited scope of the reporting 
requirement to annually inspected firms.
    In combination, the required information collection on Form 2 and 
Form 3 will inform PCAOB staff's understanding of a firm's operations 
and financial strength to help the Board assess and share information 
with the Board's oversight authorities regarding certain developments. 
For example, in the case of a material financial event that threatens a 
firm's ability to continue as a going concern or the quality of a 
firm's audits, reporting of the event on Form 3 will better position 
the Board to assess and share information with the Board's oversight 
authorities regarding potential implications for the firm and its 
issuers.\220\ Information reported on the most recent Form 2, such as 
disaggregated fees, will be useful to determine if the firm's practice 
is concentrated on a particular client type and assess implications for 
issuers to find another firm. The information may also prompt the Board 
to request additional information to further its understanding or to 
take no action.
---------------------------------------------------------------------------

    \220\ See, e.g., ACAP Final Report, at VIII.9, which recommends 
that regulators monitor potential sources of catastrophic risk faced 
by firms and create a mechanism for the preservation and 
rehabilitation of troubled larger firms.
---------------------------------------------------------------------------

    The required confidential reporting of the largest firms' financial 
statements will enable PCAOB staff to assess the operating and 
financial resources that firms have available in light of the large 
number of audits and complex audit engagements the firms perform. 
Requiring firms to compile financial statements in accordance with an 
accrual basis of accounting will support effective regulatory oversight 
by facilitating an understanding of a firm's liabilities and 
obligations that could impact the firm's incentives and constraints to 
provide quality audit services. Requiring firms to delineate revenue 
and operating income by service line will enable the Board to 
understand the firm's audit practice in context with the firm's other 
lines of business as noted in the Discussion of the Reporting Updates 
section. The benefits associated with firms' financial statements will 
be attenuated to the extent that accrual-based financial statements are 
already received through the inspection process, which as explained in 
above is the case for U.S. GNFs.
    Several commenters suggested that the proposal lacked an 
explanation of the explicit uses of the financial statements or actions 
the Board could take based on information in the financial statements. 
However, the proposal explained that an assessment of resources could 
aid the Board's understanding of a firm's capacity to withstand risks 
associated with events such as court judgments against the firm or 
threats to global networks or other affiliates that may require the 
firm's support. For example, if there is a threat to a global network 
affiliate, financial statements could aid PCAOB staff's evaluation of 
whether the U.S. firm has the operating and financial capacity to 
provide support to the distressed affiliate in order to preserve the 
network's ability to perform a multinational audit. The availability of 
financial statements will also enable the Board to observe detectable 
unexplained changes in the firm's financial health and decide whether 
to discuss those changes with firm leadership to understand the 
circumstances that caused the changes and the potential impact on audit 
quality.
    The failure of a large firm could be broadly consequential if it 
leads to market disruptions that threaten audit quality. While the 
required information collection will be useful to enhance the 
effectiveness of PCAOB oversight for individual firms, some required 
disclosures or confidential reporting regarding large firms may 
indicate implications for the broader audit market and the potential 
impact on audit quality. For example, the failure of a large firm may 
pose challenges to issuers trying to engage a new firm and could lead 
to less reliable audits in the short run because remaining firms might 
be overworked or lack relevant knowledge and resources. While economic 
theory is inconclusive on the relationship between audit market 
competition and audit quality,\221\ academic research finds that market 
concentration and audit fees increased after Arthur Anderson's exit 
from the

[[Page 96766]]

market.\222\ In addition, academic research presents evidence that the 
failure of any of the largest firms could reduce a public company's 
welfare and increase audit fees, but the research also suggests that 
the effects of such failure could be mitigated to the extent that audit 
teams from the exiting firm move with companies to the remaining 
firms.\223\ The required disclosures and confidential reporting are not 
intended to prevent potential failure of a large firm, but they will 
provide information for the Board to monitor transient market 
disruptions and the potential impact on audit quality that could result 
until the market establishes a new equilibrium.
---------------------------------------------------------------------------

    \221\ See, e.g., Yue Pan, Nemit Shroff, and Pengdong Zhang, The 
Dark Side of Audit Market Competition, 75 Journal of Accounting and 
Economics 1 (2023) (explaining that greater competition may foster 
audit process innovation, reduce firm complacency, or strengthen 
firm reputational incentives to supply high audit quality or that 
competition may lower audit quality if it leads firms to focus on 
appeasing clients by reducing professional skepticism and allowing 
clients excessive financial reporting discretion).
    \222\ See, e.g., Emilie R. Feldman, A Basic Quantification of 
the Competitive Implications of the Demise of Arthur Anderson, 29 
Review of Industrial Organization 193 (2006).
    \223\ See, e.g., Gerakos and Syverson, Competition in the Audit 
Market 725.
---------------------------------------------------------------------------

    The PCAOB staff actively engages in research related to the market 
for assurance services to further the PCAOB's mission, by informing the 
standard-setting and rulemaking agenda among other uses. In addition to 
the other benefits, the Board believes that the additional data 
provided by the final rule will enhance the PCAOB's ability to produce 
impactful research and recirculate that gained knowledge into improved 
standards and rules. Relatedly, the Board believes that the required 
disclosures will provide valuable information sources for the public, 
including academic research. Improved research quality is an important 
benefit because quality research contributes to the PCAOB's standard-
setting and rulemaking projects, which in turn has the potential to 
improve capital markets and protect investors. Overall, estimates of 
the social and economic benefits of more effective regulatory oversight 
and additional research would be unreliable due to data limitations.
    One commenter asserted that the proposal did not explain that the 
PCAOB makes confidential data available to third-party researchers for 
their personal research purposes through the PCAOB's Fellowship 
Program, and the commenter questioned the transparency and integrity of 
the program. However, the PCAOB maintains a Fellowship Program for 
interested academics to join the PCAOB as employees, rather than as 
third-party researchers.\224\ PCAOB's academic fellows work with PCAOB 
staff on PCAOB projects and develop working papers and publishable 
research on topics relevant to the PCAOB's mission. The academic 
fellows hired through the program are subject to the PCAOB's ethics 
code, including confidentiality restrictions therein, and protocols 
that govern internal review and public dissemination of the resulting 
research. While the Board approves proposed research topics prior to 
hiring academic fellows, conclusions reached in working papers and 
publications solely reflect the views of the authors and are not 
evaluated or approved by the Board.\225\ The commenter also asserted 
that the PCAOB does not obtain approval from audit firms for use of the 
firms' confidential data by third parties. However, under Sarbanes-
Oxley, the information filed by audit firms is regulatory information, 
and the PCAOB's use of that information, including use by academic 
fellows, who are employees of the PCAOB, is consistent with Sarbanes-
Oxley.
---------------------------------------------------------------------------

    \224\ More information regarding the PCAOB Fellowship Program 
can be found on the PCAOB's website, available at https://pcaobus.org/careers/econfellowship.
    \225\ More information regarding working papers and publications 
developed by academic fellows can be found on the PCAOB's website, 
available at https://pcaobus.org/resources/information-for-academics/publications-and-workingpapers.
---------------------------------------------------------------------------

ii. Indirect Benefits
    Enhanced transparency of audit firms may prompt some firms to 
manage their operating characteristics in anticipation of investor and 
audit committee reactions to the required disclosures. For example, in 
light of the required governance disclosures, some firms may establish 
or strengthen governing boards, which will support leadership and 
promote accountability within the firm. At the margins, some firms may 
also seek network memberships or initiate more active participation in 
existing networks, which could strengthen the firms' own technical 
capacity. In addition, some firms may establish or improve integration 
of cybersecurity policies and procedures into their risk management 
systems or engage more third-party specialists to address cybersecurity 
risks, which could reduce firms' vulnerabilities to cyberattacks and 
thereby reduce the impacts of future cyberattacks. These indirect 
benefits will enhance firms' capacities, incentives, and constraints to 
provide quality audit services.
    Firms will also be able to compare their own information against 
other firms and, thus, better manage their own audit practices. The 
extent of this benefit will depend on whether the firms already collect 
information for comparison or benchmarking purposes. Firms that do not 
currently collect any information will likely benefit more from the 
required disclosures. One commenter asserted that benefits will not 
accrue to smaller firms but did not explain why smaller firms may be 
less inclined to use the required disclosures in this way. The Board 
believes that firms' uses of the required disclosures may vary across 
firms. The Board next discusses indirect benefits linked to improved 
audit quality, financial reporting quality, capital market efficiency, 
and competition.
a. Improved Audit Quality, Financial Reporting Quality, and Capital 
Market Efficiency
    While the required disclosures will not necessarily have a direct 
relationship to audit quality, they may enhance audit quality as 
investors and audit committees iteratively select and monitor firms and 
advance their understanding of the information content of the required 
disclosures through communication with firms and evaluation of firm 
characteristics.\226\ Since auditors have a responsibility to provide 
reasonable assurance about whether financial statements are free of 
material misstatements, enhanced audit quality could increase the 
likelihood that the auditor will discover a material misstatement or 
will qualify its audit opinion when a material misstatement exists and 
is not corrected by management. If a registrant files with the SEC 
financial statements that are accompanied by a qualified auditor's 
report, the filing may be deemed deficient and considered not timely 
filed.\227\ Furthermore, a qualified audit opinion may evoke negative 
market reactions. For these reasons, enhanced audit quality could 
incentivize issuers to take steps to ensure their financial statements 
are free of material misstatements. Issuers could take these steps 
proactively, prior to the audit, or

[[Page 96767]]

in response to adjustments requested by the auditor. Financial 
statements that are free of material misstatements are of higher 
quality and more useful to investors.\228\
---------------------------------------------------------------------------

    \226\ See, e.g., Dao, et al., Shareholder Voting on Auditor 
Selection 168 (finding evidence that shareholder involvement in firm 
selection is associated with higher audit fees and improved audit 
quality); Mert Erinc and Tzachi Zach, Auditor-Client Compatibility 
and Audit Quality, available on SSRN: https://ssrn.com/abstract=4703916 (2024) (finding that auditor fit--as measured by a 
metric that links PCAOB inspection deficiencies to the most critical 
accounting areas disclosed in 10Ks--is negatively related to 
restatements, abnormal accruals, and Dechow-Dichev discretionary 
accruals). The Board notes that SSRN does not peer review its 
submissions. In principle, iterative selection and monitoring could 
lead to a reduction in the overall quality of audit services. For 
example, some issuers may seek lower audit fees at the expense of 
audit quality. Due to the fact that the required disclosures will be 
public, the Board believes, in most cases, this would be less 
likely.
    \227\ See, e.g., SEC, Division of Corporation Finance, Financial 
Reporting Manual, Section 4220 (last updated: 10/30/2020), available 
at https://www.sec.gov/corpfin/cf-manual/topic-4.
    \228\ The Board notes three caveats. First, some theoretical 
research finds that changes to auditing standards can have 
counterintuitive effects on audit quality. See, e.g., Marleen 
Willekens and Dan A. Simunic, Precision in Auditing Standards: 
Effects on Auditor and Director Liability and the Supply and Demand 
for Audit Services, 37 Accounting and Business Research 217 (2007) 
(finding that increased precision in auditing standards can reduce 
audit quality); Pingyang Gao and Gaoqing Zhang, Auditing Standards, 
Professional Judgment, and Audit Quality, 94 The Accounting Review 
201 (2019) (showing that setting a higher minimum bar can reduce 
quality). The Board notes that these studies examine the impacts of 
audit performance standards. By contrast, Firm Reporting is a 
disclosure rule. The Board is also unaware of empirical evidence 
that directly tests these theories. Second, the conclusion that 
financial statements that are free of material misstatements are 
more useful to investors hinges on the assumption that investors 
value compliance with the applicable financial reporting framework 
(e.g., U.S. GAAP). The various market reactions to restatements that 
have been documented in academic literature suggests that this is 
the case. See, e.g., Mark DeFond and Jieying Zhang, A Review of 
Archival Auditing Research, 58 Journal of Accounting and Economics 
275 (2014) (explaining that restatements are one of the most 
commonly used measures of misstatements in auditing research). 
Third, the conclusion that improved audit quality will improve 
financial reporting quality assumes that issuers will not switch to 
sufficiently lower quality auditors in sufficient numbers as a 
result of the Firm Reporting rule.
---------------------------------------------------------------------------

    More reliable financial information allows investors to improve the 
efficiency of their capital allocation decisions (e.g., investors may 
more accurately identify companies with the strongest prospects for 
generating future risk-adjusted returns and reallocate their capital 
accordingly).\229\ Investor confidence in financial reporting quality 
could also increase and lower investors' perceived risk in capital 
markets generally, which economic theory suggests can lead to an 
increase in the supply of capital.\230\ An increase in the supply of 
capital could increase capital formation while also reducing the 
issuer's cost of capital.\231\ A reduction in the cost of capital 
reflects a welfare gain because investors perceive less risk in capital 
markets.\232\
---------------------------------------------------------------------------

    \229\ Economic theory suggests that additional information 
generally improves outcomes in incentive contracts between 
principals (e.g., investors) and agents (e.g., company management). 
See, e.g., Bengt Holmstr[ouml]m, Moral Hazard and Observability, 10 
The Bell Journal of Economics 74 (1979) (finding that efficiency 
improves when contractable information about an agent's performance 
is available to the agent's principal).
    \230\ See, e.g., Richard A. Lambert, Christian Leuz, and Robert 
E. Verrecchia, Accounting Information, Disclosure, and the Cost of 
Capital, 45 Journal of Accounting Research 385 (2007) (concluding 
that improving the quality of accounting disclosures can influence 
the cost of capital and under certain conditions can unambiguously 
lower the cost of capital).
    \231\ See, e.g., Richard A. Lambert, Christian Leuz, and Robert 
E. Verrecchia, Information Asymmetry, Information Precision, and the 
Cost of Capital, 16 Review of Finance 1, 16-18 (2011) (discussing 
the theoretical link between financial reporting quality and cost of 
capital).
    \232\ Based on results from academic literature, the Firm and 
Engagement Metrics rule quantifies that a single basis point 
reduction in the weighted average cost of capital would imply at 
least $91.6 billion in welfare gains. See Firm and Engagement 
Metrics, PCAOB Rel. No. 2024-002 (April 9, 2024) for the 
calculations and related discussion.
---------------------------------------------------------------------------

    One commenter suggested that the required disclosures are unrelated 
to a company's value creation activities or gauging shareholder returns 
on investments and, thus, the required disclosures cannot serve to 
inform investors' decisions to vote on shareholder ratification of the 
auditor or allocate capital. While the Board agrees that the required 
disclosures are not directly related to a company's value creation 
activities or gauging shareholder returns on investments, the Board 
continues to believe that the required disclosures could serve as an 
indirect channel for investors to improve the efficiency of their 
capital allocation decisions as described in the proposal and in this 
section. In addition, as noted in above, investor-related groups 
affirmed the decision-usefulness of the required disclosures for 
ratification votes as articulated in the proposal.
    Several commenters agreed that the required disclosures will not 
necessarily have a direct relationship to audit quality and questioned 
how the required disclosures will impact audit quality. One commenter 
asserted that enhanced audit quality through iterative selection and 
monitoring is not a meaningful benefit because shareholder voting on 
audit firm appointment ratification is not required under U.S. laws and 
is generally non-binding. While the direct benefits described in the 
proposal and above do not depend on audit quality, the Board continues 
to believe that indirect benefits described in the proposal and in this 
section, including enhanced audit quality and financial reporting 
quality, may be derived from a process of iterative selection and 
monitoring. In addition, the Board noted in the proposal and in this 
release that shareholder voting on audit firm ratification is not 
required under U.S. laws and is generally non-binding, but iterative 
selection and monitoring may include investors iteratively selecting 
and monitoring audit committee members in addition to investors and 
audit committees iteratively selecting and monitoring audit firms.
    Two commenters suggested that without a direct link to audit 
quality, the benefits to investors and audit committees are uncertain. 
While the Board agrees that the caveats and limitations enumerated for 
the direct benefits described above do generate some uncertainty 
regarding the direct benefits associated with the required disclosures, 
the direct benefits to investors, audit committees, and other 
stakeholders do not depend on improvements to audit quality. As noted 
above, investor-related groups and audit committee members affirmed the 
usefulness of the required disclosures.
    One commenter suggested that comprehending the relationship between 
the reporting requirements and audit quality is challenging without a 
precise definition of audit quality. However, as noted in the proposal 
and above in this release, audit quality is an abstract concept, and 
there is no single comprehensive measure of audit quality. 
Nevertheless, the Board agrees that investors want to maximize audit 
quality for a given amount of fees they are willing to pay, and a 
section below summarizes considerations that suggest each of the areas 
of disclosure will help investors pursue higher audit quality. Another 
commenter suggested that using an investor's lens to evaluate a firm's 
financial success does not equate to evaluating a firm's audit quality. 
However, the Board believes the information that will be publicly 
disclosed under the reporting requirements will help investors because 
of the information's relevance to audit quality, as suggested in the 
section below, rather than financial success per se. Moreover, the 
required reporting of the largest firms' financial statements is 
analyzed through a regulatory lens in a section below because financial 
statements will be reported confidentially to the PCAOB. One commenter 
asserted that rather than focusing on audit quality, the reporting 
requirements focus on audit firms providing information to facilitate 
PCAOB monitoring of audit firm operations and financial stability. 
While the Board agrees that the reporting requirements will facilitate 
PCAOB monitoring of audit firm operating and financial characteristics, 
the purpose of the monitoring is to plan and scope inspections and 
identify developments that may lead to disruptions in the timely 
issuance of audit opinions under certain circumstances or lead to audit 
market disruptions that threaten audit quality.

[[Page 96768]]

b. Competition
(1) Capital Market Reactions to Firm Information
    As the additional information, context, and perspective regarding 
audit firms will help investors assess a firm's capacity, incentives, 
and constraints to provide quality audit services, it will, by 
extension, help investors assess financial reporting quality.\233\ 
Investors will therefore be able to incorporate the required 
disclosures into their portfolio selection decisions.\234\
---------------------------------------------------------------------------

    \233\ See above for a discussion regarding the association 
between audit quality and financial reporting quality.
    \234\ There is an extensive body of academic literature 
suggesting that financial markets incorporate information into 
securities prices. See, e.g., Eugene F. Fama, Efficient Capital 
Markets: A Review of Theory and Empirical Work, 25 The Journal of 
Finance 383 (1970).
---------------------------------------------------------------------------

    Issuers audited by firms whose characteristics capital markets 
associate with higher financial reporting quality may experience 
reduced cost of capital or other capital market benefits and investors 
may reallocate their capital accordingly. Taken in isolation, this 
could tend to result in a reallocation of capital from issuers with 
perceived less reliable financial reporting quality to issuers with 
perceived higher financial reporting quality.
    These capital market reactions could provide audit committees with 
a stronger incentive to appoint an audit firm whose operating 
characteristics capital markets associate with higher financial 
reporting quality. These effects could lead to increases in audit fees 
for firms that experience increased demand for their services. The 
opposite could result for other firms. Facing capacity constraints, 
some firms may turn down engagements or recruit additional staff to 
expand capacity.
(2) Audit Firm Competition
    Economic theory suggests that reductions in search costs can lead 
to increased competition,\235\ which may result in lower audit fees or 
higher audit quality.\236\ In the process of selecting a firm, audit 
committees and investors incur search costs associated with finding 
information and comparing and evaluating firms. The required 
disclosures will reduce search costs and provide audit committees and 
investors with greater insights into which firm could best meet 
investor needs regarding the audit.
---------------------------------------------------------------------------

    \235\ See, e.g., Jean Tirole, The Theory of Industrial 
Organization 294 (1988); Helmut Bester, Bargaining, Search Costs and 
Equilibrium Price Distributions, 55 The Review of Economic Studies 
201 (1988).
    \236\ The relationship between increased competition and lower 
audit fees is well-established. See, e.g., Wieteke Numan and Marleen 
Willekens, An Empirical Test to Spatial Competition in the Audit 
Market, 53 Journal of Accounting and Economics 450 (2012); Andrew R. 
Kitto, The Effects of Non-Big 4 Mergers on Audit Efficiency and 
Audit Market Competition, 77 Journal of Accounting and Economics 1 
(2024). The relationship between increased competition and audit 
quality is less conclusive. See, e.g., Pan et al., The Dark Side 1; 
Andrew Kitto, Phillip T. Lamoreaux, and Devin Williams, Do Entry 
Barriers Allow Low Quality Audit Firms to Enter the Public Company 
Audit Market? (2023) available on SSRN: https://papers.ssrn.com/abstract=3572688.
---------------------------------------------------------------------------

    Against the backdrop of capital market reactions to the required 
disclosures and as firms become better able to monetize their 
reputations, firms will have an incentive to compete on some of the 
operating characteristics. As described above, some firms may seek to 
manage their characteristics by establishing or strengthening governing 
boards, participating more in networks, or integrating cybersecurity 
policies and procedures into risk management systems. This competitive 
dynamic will enhance audit quality and, by extension, financial 
reporting quality. One commenter noted that the audit has become 
commodified and that firms compete primarily on cost due to a lack of 
information on audit quality. The commenter explained that this results 
in audit firms ``squeezing'' professional staff for productivity.
    The Board notes that the benefits linked to competition among audit 
firms could vary between audits conducted by larger and smaller firms. 
In particular, the benefits could be reduced for the larger issuer 
segment of the market because larger issuers have fewer firms available 
to choose from that are able to perform large, complex audits.\237\
---------------------------------------------------------------------------

    \237\ Economic research identifies three features of the audit 
market that may impact the market's competitive dynamics: its role 
in preserving transparency and improving the functioning of capital 
markets; high degree of mandated demand; and concentrated supply. 
See, e.g., Gerakos and Syverson, Competition in the Audit Market 
725.
---------------------------------------------------------------------------

iii. Academic Literature Related to the Required Disclosures
    In the following discussion, the Board reviews academic research 
and other considerations related to each of the areas of required 
disclosures--i.e., financial, governance, network, cybersecurity--and 
the updated description of QC policies and procedures to consider how 
the disclosures might function as useful information to enable 
investors and audit committees to more efficiently and effectively 
differentiate among individual firms. The Board notes five caveats. 
First, some of the studies rely on proxies for the required disclosures 
or use data from foreign jurisdictions. The relevance of the studies is 
therefore limited to the extent that the proxies are not equivalent to 
the required disclosures or to the extent that results may not be 
applicable to the U.S. audit market more generally. Second, while the 
studies may draw conclusions regarding a particular characteristic's 
relationship to publicly available proxies for audit quality, this does 
not imply that the characteristic will provide any new insights to 
investors and audit committees incremental to the insights already 
provided by the publicly available proxies for audit quality. Third, 
those relationships may be too indirect or difficult to fully evaluate. 
Moreover, the required disclosures will not directly measure audit 
quality. Audit quality is an abstract concept, and there is no single 
comprehensive measure of audit quality. Fourth, the Board notes that 
benefits related to any required disclosure will be reduced to the 
extent that the same reliable measures are publicly available from 
other sources. Fifth, benefits related to any required disclosure may 
vary between larger firms and smaller firms.
    One commenter reported results of a survey of 100 institutional 
investor respondents that indicates 57 percent of respondents feel that 
the information available to assess the quality of the audit of a 
publicly traded company meets all of the respondent's needs, 35 percent 
feel that the information available meets most of the respondent's 
needs, and 8 percent feel that the information available meets some of 
the respondent's needs.\238\ The commenter also reported survey results 
regarding the ways that institutional investors evaluate the quality 
and reliability of the audit of financial statements.\239\ Among the 
top three, 43 percent of respondents chose the auditor's opinion on the 
financial statements and ICFR, 40 percent chose audit quality reports 
issued by the audit firm conducting the audit, and 38 percent chose 
PCAOB inspection reports of the firm performing the audit. The 
commenter also reported results of a survey of 242 audit committee 
member respondents regarding the ways they evaluate the quality and 
reliability of the audit of financial statements.\240\ Among the top

[[Page 96769]]

three, 94 percent of respondents chose the nature and robustness of 
conversations with the auditor, 93 percent chose timely and transparent 
communication, and 75 percent chose the reputation of the audit firm 
conducting the audit. The Board believes that these survey results 
suggest that institutional investor respondents generally tend to use 
publicly available information sources and audit committee member 
respondents generally tend to use interactions with the audit firm as 
sources to evaluate the quality and reliability of the audit. In 
addition, the Board believes the survey results suggest that some 
institutional investor respondents feel they need additional 
information to assess audit quality because 43 percent of respondents 
indicated that the information to assess audit quality does not meet 
all of the respondent's needs.
---------------------------------------------------------------------------

    \238\ See CAQ Investor Survey. The survey question asked, ``How 
do you feel about the information available to you to assess the 
quality of the audit of a publicly traded company you invest in or 
follow?''
    \239\ See CAQ Investor Survey. The survey question asked, ``What 
are the top three ways that you evaluate the quality and reliability 
of the audit of financial statements of publicly traded companies 
you invest in or follow? Please choose up to three.''
    \240\ See CAQ Audit Committee Survey. The survey question asked, 
``How do you evaluate the quality and reliability of the audit of 
financial statements of the publicly traded companies for which you 
sit on the board?''
---------------------------------------------------------------------------

a. Financial Information
    The required disclosures regarding disaggregation of fees will help 
investors and audit committees assess dimensions of a firm's PCAOB 
audit practice--such as size, audit versus non-audit focus, or 
attention to issuer audits versus broker-dealer audits--to determine 
whether the firm has the technical and operating capacity to perform 
the audit. The disaggregation of fees will help assess whether the firm 
may be reliant on revenue from services other than audits in a manner 
that could influence the firm's independence or decision-making. The 
revision to the instructions to Form 2 to delete the language 
permitting foreign registered firms to request confidential treatment 
of information provided in response to Form 2, Item 3.2 (Fees Billed to 
Issuer Audit Clients), will remove an accommodation that is extended to 
foreign registered firms that is not extended to domestic registered 
firms.
    Academic research suggests that audit firm risk profiles can be 
reasonably assessed by insurers who set premiums for audit firms based, 
at least in part, on information contained in fees--such as audit 
practice size or revenue growth.\241\ Audit practice size could be 
determined based on fees, and revenue growth could be calculated from 
fees reported consistently over time. Moreover, research suggests that 
the percentage of non-audit fees to total fees billed to audit clients 
could be used to inform investors' views of firm independence.\242\
---------------------------------------------------------------------------

    \241\ See, e.g., Jeffrey R. Casterella, Kevan L. Jensen, and W. 
Robert Knechel, Litigation Risk and Audit Firm Characteristics, 29 
Auditing: A Journal of Practice & Theory 71, 80 (2010).
    \242\ See, e.g., Mishra, et al., Do Investors' Perceptions Vary 
9; Cunningham, Auditor Ratification 174.
---------------------------------------------------------------------------

    One commenter asserted that the proposal failed to explain how 
investors will process expanded fee information and whether such 
information will be useful or appropriately interpreted. The commenter 
suggested that the potential benefits of further disaggregation and 
granularity of fees are uncertain without evidence to support how the 
required disclosures will be used. Another commenter asserted that the 
proposal did not provide evidence that the fee information will provide 
stakeholders with decision-useful information or help them assess a 
firm's ability to deliver audit services. Two commenters asserted that 
a more meaningful measure of audit fees is already provided to 
investors in SEC filings. One commenter asserted that presenting fees 
in dollar amounts will distract from comparability across firms because 
of the vast differences in the size of firms serving as issuer and 
broker-dealer auditors and that presenting fees in dollar amounts will 
shift focus away from the size of a firm's issuer audit practice to the 
size of its practice as a whole. Another commenter suggested that 
comparability of audit fees across firms will be severely limited 
because of different sizes and operating structures of the firms. 
Several commenters asserted that the proposal was not clear on how 
investors and audit committees will use disaggregated fee information 
about private company audits.
    While the Board believes that the uses of the required audit fee 
disclosures may vary across investors, the academic research cited 
above suggests how investors may process and use the information. The 
Board also believes that interpretation of the information may vary 
across investors and that investors will need to be responsible users 
of the information. One commenter reported results of a survey of 100 
institutional investor respondents in which 37 percent of respondents 
indicated that expanded fee information will be extremely helpful \243\ 
and 48 percent of respondents were extremely likely to seek the 
information out.\244\ In addition, audit fees reported in SEC filings 
reflect fees paid by a specific issuer rather than fees received by a 
specific audit firm, the latter of which is the focus of the required 
disclosures. Moreover, the Board agrees that comparability may likely 
be most meaningful among firms of the same size class, which will be 
possible with the required disclosures. However, differences among 
firms do not detract from comparability but rather enable users to 
distinguish one firm from another. Likewise, the required fee 
disclosures will enable users to observe the size of the firm's audit 
practice, the size of the overall firm, or both, depending on the 
users' interests, but the Board has no reason to believe that reporting 
both will shift focus away from one or the other. Finally, the final 
rule eliminates the proposed requirement to provide disaggregated data 
for audit services billed to non-issuers and non-broker-dealers, which 
includes private company audits.
---------------------------------------------------------------------------

    \243\ See CAQ Investor Survey. The survey question asked, ``How 
useful would each of the following firm-level metrics be to you in 
evaluating the quality of an audit of a company you invest in or 
follow?'' The Board notes that the survey results could vary based 
on any differences between the proposed disclosures and the adopted 
disclosures.
    \244\ See CAQ Investor Survey. The survey question asked, ``If 
this information were made public on the PCAOB's website, how likely 
would you be to proactively seek out the information on the audit 
firm in evaluating the quality of an audit of a company you invest 
in or follow?'' The Board notes that the survey results could vary 
based on any differences between the proposed disclosures and the 
adopted disclosures.
---------------------------------------------------------------------------

    One commenter explained that a firm with more total fees from audit 
services may imply more capacity, but the only true measure of capacity 
is the number of resources that are available and unused. The point 
raised by the commenter is one of excess resource capacity within a 
single firm rather than operating capacity between two firms. While the 
Board agrees that excess resource capacity has informational value, the 
required disclosure focuses on firm size and operating capacity rather 
than excess resource capacity.
b. Governance Information
    The required disclosures regarding a firm's principal executive 
officer, executive officers who are responsible for various components 
of the QC system, governing boards or management committees, and 
executive officer of the audit practice will provide investors and 
audit committees with consistent and comparable information to 
understand incentives at the firm level based on who is responsible for 
establishing work culture, tone at the top, and mechanisms for 
accountability.\245\ The required

[[Page 96770]]

disclosures regarding legal structure, ownership, governance processes, 
and the EQCF oversight role will facilitate greater differentiation 
among firms based on criteria that could help assess whether a firm is 
properly incentivized or faces any constraints to continuously provide 
quality audit services.\246\
---------------------------------------------------------------------------

    \245\ See, e.g., Ken Tysiac, Audit Quality Indicators Show 
Importance of Tone at the Top, Journal of Accountancy (Apr. 21, 
2022) (explaining that a firm's tone at the top and appropriate 
deployment of personnel are among the most important indicators of 
audit quality, according to an AICPA survey of public accounting 
firms).
    \246\ See, e.g., Henry L. Tosi, Jeffrey P. Katz, Luis R. Gomez-
Mejia, Disaggregating the Agency Contract: The Effects of 
Monitoring, Incentive Alignment, and Term in Office on Agent 
Decision Making, 40 Academy of Management Journal 584 (1997) 
(finding that incentive alignment in company governance is a 
powerful mechanism to ensure agents act in the best interests of 
principals); Levin and Tadelis, Profit Sharing and the Role of 
Professional Partnerships 163; IOSCO, Transparency of Firms that 
Audit Public Companies (Sep. 2009) (explaining that governance, 
including the organizational structure, of firms is perceived to 
have a significant influence on audit quality and a firm's ability 
to continuously provide audit services to the market).
---------------------------------------------------------------------------

    Academic research suggests that stronger governance at U.S. 
national offices results in improved audit quality for U.S. local 
offices.\247\ In addition, academic research indicates that information 
contained in governance disclosures required of Australian firms--such 
as legal and governance structure--is useful to assess audit quality 
for large firms.\248\ Literature also finds that governance 
disclosures--such as legal structure, ownership, and governance 
processes--positively affect investor confidence and reduce the cost of 
capital for some European Union companies.\249\ Finally, research 
suggests that the information contained in European firms' current 
governance disclosures is of low value and could potentially be 
resolved through efforts by oversight bodies and the auditing 
profession to improve information value.\250\ Since U.S. institutions 
differ from other countries and governance measures vary widely across 
the studies, the results from these studies may not directly relate to 
all PCAOB-registered firms.
---------------------------------------------------------------------------

    \247\ See, e.g., Jade Huayu Chen and Preeti Choudhary, The 
Impact of National Office Governance on Audit Quality (2020), 
available on SSRN: https://ssrn.com/abstract=3702083 (2020) (finding 
that closer proximity between a national office and a local office 
strengthens national office governance through monitoring and 
knowledge transfer, resulting in improved audit quality at the local 
office). The Board notes that SSRN does not peer review its 
submissions.
    \248\ See, e.g., Johl, et al., Audit Firm Transparency 
Disclosures 508. One commenter asserted that the proposal did not 
discuss evidence from this study that suggests results are not 
robust to all types of firms. However, the discussion in the 
proposal, like the discussion here, noted that the result was found 
for large firms. In addition, the initial citation of the study in 
the proposal noted that the study found no statistical association 
between governance disclosures and audit quality for medium and 
smaller firms.
    \249\ See, e.g., La Rosa, et al., Corporate Governance of Audit 
Firms 19, 30 (finding that the cost of equity of public interest 
entities in the European Union tends to decrease after the release 
of audit firm transparency reports as a result of increases in 
investor confidence).
    \250\ See, e.g., Deumes et al., Audit Firm Governance 207-208. 
One commenter asserted that the proposal did not discuss this study, 
potentially overstating the benefits of the required disclosures. 
However, the discussion in the proposal, like the discussion here, 
included this study. In addition, the initial citation of the study 
in the proposal noted that the study concluded that current 
transparency report disclosures required in the European Union do 
not appear to reveal underlying audit firm quality.
---------------------------------------------------------------------------

    One firm commenter said that the required governance disclosures 
will provide investors with a view of how an audit firm is structured. 
Investor-related groups agreed that: (i) the disclosures will inform 
stakeholders of a governance mechanism they may consider relevant to 
audit quality, (ii) requiring the information will increase 
standardization and comparability, and (iii) the reporting of the 
information may lead to increased engagement between firms and audit 
committees, investors, and other stakeholders. One firm commenter 
agreed there could be benefits associated with some of the required 
governance disclosures but disagreed there are any benefits associated 
with naming individuals in various roles. Some firm commenters did not 
support the proposed governance disclosures but expressed that some 
disclosures could provide more benefits than the disclosures naming 
individuals in lower ranking roles and the description of the processes 
governing changes in form of organization. One commenter suggested that 
identification of all direct reports to the principal executive officer 
could be interpreted in different ways, which will affect 
comparability. Another commenter suggested that identification of 
direct reports to the principal executive officer could decrease the 
willingness of qualified people to perform roles like the EQCF. One 
commenter affirmed that the required governance disclosures might 
improve audit quality but that such improvements may not be meaningful 
or consequential. Another commenter questioned whether the required 
governance disclosures will enhance audit quality. One commenter said 
that the benefits and uses of the required governance disclosures to 
investors and the public are not clear. Another commenter asserted 
there is no evidence that different governance practices have a 
significant impact on audit quality, which may lead users to draw 
inappropriate conclusions.
    While the Board believes that the relevance of some of the required 
governance disclosures may vary across investors and other users of the 
information, the final rule does not require firms to name direct 
reports to the principal executive officer and eliminates the proposed 
requirement to provide a description of the processes that govern a 
change in the form of organization. In addition, while the required 
governance disclosures may indirectly enhance audit quality as 
described above, the direct benefits described in the proposal and 
above do not depend on audit quality. Moreover, the Board believes that 
the benefits and uses of the required governance disclosures may vary 
across investors and the public, and the comments and academic research 
cited above suggest how investors and the public may benefit from and 
use the information. One commenter reported results of a survey of 100 
institutional investor respondents in which 36 percent of respondents 
indicated that governance information will be extremely helpful \251\ 
and 38 percent of respondents were extremely likely to seek the 
information out.\252\ Finally, the academic research cited above 
suggests that governance practices may impact audit quality, but even 
in the absence of a relationship between governance practices and audit 
quality, users will need to be responsible users of the information to 
draw appropriate conclusions.
---------------------------------------------------------------------------

    \251\ See CAQ Investor Survey. The survey question asked, ``How 
useful would each of the following firm-level metrics be to you in 
evaluating the quality of an audit of a company you invest in or 
follow?'' The Board notes that the survey results could vary based 
on any differences between the proposed disclosures and the adopted 
disclosures.
    \252\ See CAQ Investor Survey. The survey question asked, ``If 
this information were made public on the PCAOB's website, how likely 
would you be to proactively seek out the information on the audit 
firm in evaluating the quality of an audit of a company you invest 
in or follow?'' The Board notes that the survey results could vary 
based on any differences between the proposed disclosures and the 
adopted disclosures.
---------------------------------------------------------------------------

c. Network Information
    The required disclosures regarding a description of the network 
structure and the relationship of the registered firm to the network--
including whether the registered firm has access to resources such as 
firm methodologies and training, whether the firm shares information 
with the network regarding its audits, whether the firm is subject to 
inspection by the network, and other information the firm considers 
relevant to understanding how the network relationship relates to its 
conduct of audits--will provide investors and audit committees with 
consistent and comparable information to understand

[[Page 96771]]

incentives and constraints at the network level as compared to the firm 
level. The required disclosures regarding sharing of training materials 
and audit methodologies will facilitate differentiation among firms 
based on factors that could help assess how much technical capacity a 
firm has to provide quality audit services.
    Academic research suggests that information contained in the 
required network disclosures--such as audit methodologies and technical 
resources--will be useful to assess audit quality.\253\ In addition, 
research indicates that information regarding a registered firm's 
relationship to a network and how the relationship relates to the 
firm's conduct of audits will help assess the firm's capacity to 
perform an audit.\254\ Moreover, research finds that information 
contained in network disclosures in general will be particularly useful 
to assess audit quality and fees charged by smaller firms.\255\ Since 
network membership may tend to be chosen by firms that are more 
inclined to focus on audit quality, the results from these studies may 
not generalize equally to all PCAOB-registered firms.
---------------------------------------------------------------------------

    \253\ See, e.g., Juan Mao, Non-Big 6 Audit Firms' Access to 
External Resources through Inter-Organizational Relationships 
(IORs): Insights from the PCAOB, University of Texas at San Antonio 
Working Paper Series WP# 0231ACC (2019) (finding for smaller audit 
firms that audit quality is improved when the firms have access to 
audit manuals and technologies through network relationships).
    \254\ See, e.g., Bills et al., Small Audit Firm Membership 767 
(explaining that smaller firm membership in accounting networks 
provides the firm with access to expertise and technical trainings 
among other resources).
    \255\ See, e.g., Bills et al., Small Audit Firm Membership 767 
(finding that smaller firms that are members of networks have fewer 
PCAOB inspection deficiencies, fewer financial statement 
misstatements, and higher audit fees than their non-member peers).
---------------------------------------------------------------------------

    One firm commenter agreed that network arrangements provide a 
variety of benefits to its members. Some firm commenters asserted that 
the proposal was unclear regarding the purpose of requiring network 
information. Some commenters asserted that the proposal was unclear or 
provided no evidence how the required network disclosures will be 
useful to investors and audit committees. Another commenter asserted 
that the proposal did not provide evidence that the required network 
disclosures will improve stakeholder assessments of a firm's ability to 
deliver quality audit services but suggested that some disclosures seem 
more likely to be relevant to stakeholders than other disclosures.
    The Board believes that the relevance and usefulness of some of the 
required network disclosures may vary across investors and audit 
committees, and the comments and academic research cited above indicate 
that investors and audit committees will have reason to value the 
information. In addition, modifying the requirement to focus on the 
registered firm and the aspects of its relationship with the network 
that most directly relate to the firm's conduct of audits contributes 
to the relevance and usefulness of the information. One commenter 
reported results of a survey of 100 institutional investor respondents 
in which 35 percent of respondents indicated that network information 
will be extremely helpful \256\ and 36 percent of respondents were 
extremely likely to seek the information out.\257\
---------------------------------------------------------------------------

    \256\ See CAQ Investor Survey. The survey question asked, ``How 
useful would each of the following firm-level metrics be to you in 
evaluating the quality of an audit of a company you invest in or 
follow?'' The Board notes that the survey results could vary based 
on any differences between the proposed disclosures and the adopted 
disclosures.
    \257\ See CAQ Investor Survey. The survey question asked, ``If 
this information were made public on the PCAOB's website, how likely 
would you be to proactively seek out the information on the audit 
firm in evaluating the quality of an audit of a company you invest 
in or follow?'' The Board notes that the survey results could vary 
based on any differences between the proposed disclosures and the 
adopted disclosures.
---------------------------------------------------------------------------

d. Cybersecurity Information
    The required disclosures regarding integration of cybersecurity 
policies and procedures into risk management systems, engagement of 
third parties in relation to cybersecurity risks, and policies and 
procedures to oversee and identify threats associated with third-party 
service providers will provide investors and audit committees with 
information to understand efforts taken to protect an issuer's 
confidential data.\258\ The required disclosures will also facilitate 
differentiation among firms based on information that could help 
investors and audit committees assess a firm's vulnerability to 
cyberattacks, which could impact a firm's operations and ability to 
continue delivering quality audit services.\259\ The Board notes that 
institutional investors may be more inclined than retail investors to 
employ resources assessing cybersecurity policies and procedures 
because of the expertise required.\260\
---------------------------------------------------------------------------

    \258\ See, e.g., Nick Hopkins, Deloitte Hit by Cyberattack 
Revealing Client's Secret Emails, Guardian (Sep. 25, 2017) 
(discussing consequences for issuers' data that resulted from a 
cyberattack at one of the largest firms).
    \259\ See, e.g., Patrick M[uuml]nch, The Importance of 
Cybersecurity in Accounting, Accounting Today (Feb. 21, 2023) 
(explaining that accounting firms should regularly evaluate their 
cybersecurity processes and policies to ensure they are taking full 
advantage of the latest tools and techniques to protect against 
cyberattacks). For examples of business operations that have been 
disrupted by cyberattacks, see, e.g., David E. Sanger, Clifford 
Krauss, and Nicole Perlroth, Cyberattack Forces a Shutdown of a Top 
U.S. Pipeline, The New York Times (May 8, 2021); Reuters, Estee 
Lauder Hit by Cyberattack, Some Business Operations Affected (July 
20, 2023).
    \260\ See, e.g., PCAOB Investor Advisory Group Meeting (Sep. 26, 
2024).
---------------------------------------------------------------------------

    Academic research suggests that information contained in the 
required disclosures will be useful to assess whether a firm has 
policies and procedures in place to manage the risk of a potential 
cyberattack that could impact a firm's reputation,\261\ which investors 
rely on to infer audit quality since they cannot assess quality by 
casual observation.\262\ In addition, research suggests that 
information contained in a firm's cybersecurity disclosures may help 
investors more efficiently price an issuer's securities to the extent 
that they are confident that a firm's policies and procedures provide 
sufficient protection against a potential cyberattack.\263\
---------------------------------------------------------------------------

    \261\ See, e.g., Barri Litt, Paul Tanyi, and Marcia Weidenmier 
Watson, Cybersecurity Breach at a Big 4 Accounting Firm: Effects on 
Auditor Reputation, 37 Journal of Information Systems 2 (2023) 
(concluding that significant cyberattacks can negatively impact the 
reputation of any of the largest firms).
    \262\ See, e.g., Karen M. Hennes, Andrew J. Leone, and Brian P. 
Miller, Determinants and Market Consequences of Auditor Dismissals 
after Accounting Restatements, 89 The Accounting Review 1051, 1055 
(2014) (explaining that corporate boards and investors rely heavily 
on audit firm reputation to infer audit quality).
    \263\ See, e.g., Litt et al., Cybersecurity Breach 2 (finding 
evidence of negative market returns for a large firm's issuer 
clients after a major cybersecurity incident at the firm was 
disclosed by a third party); Richardson et al., Much Ado about 
Nothing 249.
---------------------------------------------------------------------------

    Several commenters supported the disclosure of cybersecurity 
policies and procedures. One commenter questioned the usefulness of 
disclosing cybersecurity policies and procedures because of the general 
nature of the information and more detailed information is part of the 
PCAOB's inspection requests and is often discussed with audit 
committees and company management. Another commenter asserted that 
there is little risk that a cybersecurity incident at an audit firm 
will impact a company's operations or financial reporting systems 
because firms are not in possession of a company's intellectual 
property or a company's personal identifying information. The commenter 
further asserted that it is unclear how a cybersecurity incident at an 
audit firm will likely substantially harm investors.
    Because investors are not privy to PCAOB inspection requests and 
may not be privy to an audit firm's discussions with the audit 
committee or company management, the Board continues to

[[Page 96772]]

believe that even cybersecurity policies and procedures of a general 
nature will be useful to investors. At one extreme, the required 
disclosures will help investors distinguish a firm with no stated 
policies and procedures from a firm that has stated policies and 
procedures. One commenter reported results of a survey of 100 
institutional investor respondents in which 41 percent of respondents 
indicated that information on cybersecurity policies will be extremely 
helpful \264\ and 46 percent of respondents were extremely likely to 
seek the information out.\265\ While the Board agrees that a 
cybersecurity incident at an audit firm may not impact a company's 
operations or financial reporting systems, academic research cited 
above in this section provides evidence of the harm that can be caused 
to investors by a cybersecurity incident at one of the largest firms 
via negative investment returns.\266\
---------------------------------------------------------------------------

    \264\ See CAQ Investor Survey. The survey question asked, ``How 
useful would each of the following firm-level metrics be to you in 
evaluating the quality of an audit of a company you invest in or 
follow?'' The Board notes that the survey results could vary based 
on any differences between the proposed disclosures and the adopted 
disclosures.
    \265\ See CAQ Investor Survey. The survey question asked, ``If 
this information were made public on the PCAOB's website, how likely 
would you be to proactively seek out the information on the audit 
firm in evaluating the quality of an audit of a company you invest 
in or follow?'' The Board notes that the survey results could vary 
based on any differences between the proposed disclosures and the 
adopted disclosures.
    \266\ See, e.g., Litt et al., Cybersecurity Breach 2.
---------------------------------------------------------------------------

e. Updated Description of QC Policies and Procedures
    The required one-time disclosure of a firm's policies and 
procedures on Form QCPP will enable investors and audit committees to 
more efficiently understand differences among firms' quality control 
policies and procedures pursuant to QC 1000 and, thus, help assess a 
firm's capacity to deliver high-quality audit services for firms that 
provide audit services.\267\
---------------------------------------------------------------------------

    \267\ See, e.g., Daniel Aobdia, The Economic Consequences of 
Audit Firms' Quality Control System Deficiencies, 66 Management 
Science 2883 (2020) (finding a negative association between 
performance-related quality control deficiencies identified during 
PCAOB inspections and audit quality).
---------------------------------------------------------------------------

    Some commenters were supportive of firms providing an updated 
description of their QC policies and procedures and agreed with the 
benefits that may accrue to investors and audit committees, including 
increasing transparency. One commenter agreed that updated QC related 
information may be relevant but believes an update is not necessary 
because it duplicates the requirements of QC 1000. Another commenter 
noted, with respect to transparency, there were no specifics in the 
proposal on how investors and audit committees will evaluate the 
updated information. The commenter further expressed concern regarding 
the impact this requirement will have on inactive firms, as these firms 
will not have investors or audit committees in need of this 
information.
    The required one-time update of a firm's policies and procedures on 
Form QCPP is unique to the Firm Reporting rule and is limited to firms 
that registered with the Board prior to the effective date of QC 1000. 
As suggested in the proposal and in this section, investors and audit 
committees could evaluate the updated information of one firm against 
the updated information of another firm to more efficiently understand 
differences among firms' quality control policies and procedures. One 
commenter reported results of a survey of 100 institutional investor 
respondents in which 50 percent of respondents indicated that 
information about a firm's QC system will be extremely helpful \268\ 
and 41 percent of respondents were extremely likely to seek the 
information out.\269\ While the Board notes that the survey did not ask 
specifically about Form QCPP, the Board believes that Form QCPP will 
provide information about a firm's QC system. While the commenter did 
not offer a definition of ``inactive'' firms, the Board agrees that 
there could be circumstances in which investors and audit committees 
may not be in need of certain information reported on Form QCPP. 
However, because QC 1000 extends to all registered firms, the Board 
does not rule out the possibility that investors or audit committees 
could have future needs for the information. As noted in the Discussion 
of the Reporting Updates section, the Board believes that the overall 
reporting burden is reduced because of the one-time nature of Form QCPP 
and because the requirement is to summarize matters that firms are 
required to document under QC 1000. A section below discusses further 
the alternative of exempting firms from reporting requirements.
---------------------------------------------------------------------------

    \268\ See CAQ Investor Survey. The survey question asked, ``How 
useful would each of the following firm-level metrics be to you in 
evaluating the quality of an audit of a company you invest in or 
follow?'' The Board notes that the survey results could vary based 
on any differences between the proposed disclosures and the adopted 
disclosures.
    \269\ See CAQ Investor Survey. The survey question asked, ``If 
this information were made public on the PCAOB's website, how likely 
would you be to proactively seek out the information on the audit 
firm in evaluating the quality of an audit of a company you invest 
in or follow?'' The Board notes that the survey results could vary 
based on any differences between the proposed disclosures and the 
adopted disclosures.
---------------------------------------------------------------------------

2. Costs
    In the following discussion, the Board considers direct and 
indirect costs related to the final rule. The Board has attempted to 
quantify costs where possible. However, quantification is generally not 
reliable due to data limitations, particularly the indirect costs.
     First, firms will incur direct costs developing a 
reporting infrastructure or updating existing infrastructure.
     Second, firms will incur direct costs complying with the 
requirements to complete Form 2 and Form 3 and file them with the 
PCAOB.
     Third, market participants will incur indirect costs 
updating their decision-making and monitoring frameworks.
     Fourth, there will be indirect costs linked to competition 
resulting from the reporting requirements.
    Costs could be mitigated to the extent that information provided by 
firms in response to the required reporting changes overlaps with 
voluntary ad hoc reporting by firms or with supplemental information 
that firms already report to PCAOB through the inspection process. 
Firms may either pass their costs on to companies, and ultimately 
investors, through higher audit fees, or they may choose to absorb 
costs. Larger firms will be able to take advantage of economies of 
scale by distributing any fixed costs over a higher number of audit 
engagements. Smaller firms will distribute any fixed costs over a lower 
number of audit engagements, which will make implementation relatively 
more costly for smaller firms.\270\ In addition, any increases in audit 
fees that result from passing costs on to companies could be 
disproportionately higher for smaller companies that are more likely to 
engage smaller audit firms. The Board discusses other potential impacts 
for smaller companies below.
---------------------------------------------------------------------------

    \270\ See, e.g., Michael Minnis and Nemit Shroff, Why Regulate 
Private Firm Disclosure and Auditing?, 47 Accounting and Business 
Research 473, 498-499 (2017) (explaining that increased financial 
reporting regulation is disproportionately costly for smaller 
companies because complying with regulation has large fixed costs, 
and unlike larger companies, smaller companies do not benefit from 
economies of scale).
---------------------------------------------------------------------------

    Several commenters agreed that the reporting requirements could 
have a disproportionate cost impact on smaller audit firms, as 
suggested in the proposal. In addition, some commenters suggested that 
foreign firms could be disproportionately impacted by costs

[[Page 96773]]

because of their smaller number of PCAOB engagements. Some commenters 
noted that firms with smaller issuer and broker-dealer practices, 
including smaller firms and foreign firms, may incur costs for 
extensive systems and processes to implement the reporting requirements 
even if only a small portion of the firms' audit practices are subject 
to PCAOB oversight. One commenter suggested that the majority of 
systems and processes cannot be automated. One commenter suggested the 
reporting requirements may not be sufficiently scalable because they 
will require firms of all sizes to hire additional personnel and 
implement new systems and processes. The commenter noted that smaller 
firms typically operate with limited administrative staff and have 
fewer existing technological resources compared to larger firms. One 
commenter noted that the commenter's outreach to public accounting 
firms that audit U.S. listed companies in the small- and mid-cap market 
supports the proposal's assertion that the reporting requirements could 
have a disproportionate cost impact on smaller and mid-sized audit 
firms. The commenter noted results from a survey the commenter 
conducted of smaller and mid-sized firms that suggested compliance with 
the reporting requirements will strain already limited resources as 
smaller and mid-sized firms modify and expand systems and processes. 
The commenter further affirmed that smaller and mid-sized firms lack 
economies of scale and will be less able than larger firms to recover 
costs. Another commenter, representing smaller firms, affirmed that the 
costs smaller firms will incur to implement administrative processes to 
comply with the reporting requirements will be spread over a smaller 
number of audit clients and audit fee revenue. The Board took these 
potential disproportionate costs into consideration for the final rule, 
including reducing the disaggregated information required for fees, 
exempting smaller firms from confidentially reporting financial 
statements and material specified events, and adopting phased 
implementation. The Board discusses other potential impacts for smaller 
firms in a section below.
i. Direct Costs
a. Firm Infrastructure Costs
    Infrastructure includes systems for data collection, reporting 
processes, controls, and documentation. Firms will likely incur one-
time costs related to infrastructure that is necessary to comply with 
the reporting requirements. There will also likely be some recurring 
costs to maintain infrastructure. The one-time infrastructure costs 
will depend on the extent to which firms already have infrastructure in 
place and will be able to modify the infrastructure to comply with the 
reporting requirements. Most firms are likely to have some 
infrastructure in place for existing reporting requirements related to 
Form 2 and Form 3, as described above, but those systems may require 
modifications and testing before they can be used to comply with the 
new reporting requirements. One firm commenter affirmed that the 
reporting requirements may lead firms to implement new processes and 
infrastructure.
    GNFs and large non-affiliate firms (``NAFs'') \271\ may have 
existing advanced infrastructure and greater capability to modify the 
infrastructure. Smaller NAFs may need to make larger modifications to 
existing infrastructure or invest in entirely new infrastructure. 
Smaller firms may not be able to benefit from economies of scale as 
they will need to spread fixed costs over fewer audit engagements.\272\
---------------------------------------------------------------------------

    \271\ NAFs are U.S. or non-U.S. accounting firms that are 
registered with the Board but are not GNFs. Some NAFs belong to 
international networks other than GNF networks.
    \272\ See, e.g., Minnis and Shroff, Why Regulate 498-499.
---------------------------------------------------------------------------

    The costs associated with developing or updating infrastructure 
will depend on the choice of automated or manual systems. Some firms 
may find it efficient to automate some or all of their systems, which 
will likely increase the one-time costs associated with infrastructure. 
In addition, recurring costs from operating manual systems are likely 
to be higher as scale increases, which may cause some firms to invest 
in automated systems.
    Infrastructure costs will include any costs associated with 
training personnel on how to use the systems. Training may be needed 
for operating activities related to data collection and reporting 
processes as well as for administrative activities related to 
documentation and proper control over the systems.
b. Firm Compliance Costs
    Compliance activities will include preparation, review, 
certification, and filing of forms revised by this rule. Firms will 
incur one-time costs and recurring costs related to compliance with the 
reporting requirements. The compliance costs will depend on the extent 
to which firms already engage in compliance activities related to Form 
2 and Form 3 and will, thus, be able to modify their existing 
compliance activities. The relative magnitude of the compliance costs 
may depend on the size of the firm and whether the firm has chosen 
manual or automated systems.
    GNFs and large NAFs may have existing advanced compliance practices 
and greater resource flexibility to modify existing compliance 
practices. Smaller NAFs may face resource constraints that could make 
modifications to such practices relatively more costly. To the extent 
that compliance activities include any fixed features, smaller firms 
may not be able to benefit from economies of scale as they will need to 
spread fixed costs over fewer audit engagements.\273\
---------------------------------------------------------------------------

    \273\ See, e.g., Minnis and Shroff, Why Regulate 498-499.
---------------------------------------------------------------------------

    Firms will incur personnel costs to prepare, review, and certify 
their filings, which will contain more information and, for Form 3, may 
be made more often. Preparation will require additional time associated 
with drafting narrative disclosures. Review will require additional 
time to validate expanded information and narrative disclosures and 
will potentially include more robust legal review. One-time costs for 
the additional reporting on Form 2 and Form 3 will include training of 
firm personnel regarding the new reporting requirements. One-time costs 
for Form QCPP will include gathering and documenting information 
related to the quality control policies and procedures that have been 
developed pursuant to QC 1000. Recurring costs for the additional 
reporting on Form 2 and Form 3 will include compliance activities 
associated with periodic reporting. There will be no recurring costs 
for the one-time reporting of policies and procedures on Form QCPP.
    The Board expects that the compliance costs associated with the 
required changes will be most significant for the initial filings 
because firm personnel will need to familiarize themselves with new 
reporting requirements and forms. In subsequent reporting periods, the 
Board anticipates that firms will incur lower costs because of any 
efficiencies related to the compliance activities already being 
operationalized.\274\
---------------------------------------------------------------------------

    \274\ See, e.g., PCAOB Rel. No. 2022-007 (finding that auditors 
of large accelerated filers realized efficiencies in developing and 
communicating critical audit matters in the second year of 
implementation, reporting that they generally spent the same or less 
time on critical audit matters compared to the initial year of 
implementation).
---------------------------------------------------------------------------

    Commenters generally agreed there will be compliance costs 
associated with the reporting requirements. One

[[Page 96774]]

commenter suggested that costs will include implementation of new 
processes and procedures, likely resulting in higher audit fees. 
Another commenter explained that the reporting requirements will 
require development of systems and processes to collect the 
information. Another commenter suggested that providing the information 
is labor intensive and that firms will need additional staff. One 
commenter noted that litigation and enforcement costs could result for 
firms from the required disclosures. Another commenter noted that state 
accounting regulators have additional reporting requirements and 
follow-up actions that are triggered upon notification of a Form 2 or 
Form 3 filing. The Board believes each of these is a potential cost of 
the final rule.
    One commenter said the detailed information required will be 
unnecessarily onerous for firms of all sizes. The Board believes 
reporting thresholds and the decision to streamline and clarify certain 
disclosures as compared to the proposal reduces the burden of the 
requirements. Several commenters suggested that firms of all sizes will 
incur substantial costs associated with the granularity and reporting 
period for fees. As explained in the Discussion of the Reporting 
Updates section, the final rule streamlines the fee disclosure 
requirements as compared to the proposal by, for example, eliminating 
the proposed requirement to provide disaggregated data for audit 
services billed to non-issuers and non-broker-dealers and the proposed 
requirement to report fees billed to all clients for each of the four 
fee categories. Limiting the reporting requirement for fees to actual 
fee amounts for issuer audit clients--i.e., the numerator and 
denominator of the current percentage calculations--and actual fee 
amounts billed to broker-dealer audit clients will mitigate firms' 
compliance costs associated with reporting fees. One commenter said 
that the governance disclosures included excessive granularity. As 
explained in the Discussion of the Reporting Updates section, the final 
rule streamlines the governance disclosures as compared to the proposal 
by, for example, eliminating the proposed requirement to name direct 
reports to the principal executive officer and the proposed requirement 
to provide a description of the processes that govern a change in the 
form of organization. One commenter said that the proposal did not 
sufficiently estimate and balance the costs and benefits--including 
potential legal or other risks to firms--from network-related 
disclosures. One commenter characterized the network-related 
disclosures as costly to assemble. Another commenter noted that 
reporting network-related financial obligations could impose an 
administrative burden. While the Board agrees there will be potential 
costs associated with network-related disclosures, including assembly 
costs and administrative costs, the Discussion of the Reporting Updates 
section explains that the final rule simplifies the network-related 
disclosures by, for example, focusing on the registered firm and 
aspects of its relationship with the network that mostly directly 
related to the conduct of audits.
    One commenter asserted that the proposal did not sufficiently 
analyze compliance costs in light of the small incremental benefits to 
audit committees from increased accessibility and comparability of 
publicly available information regarding PCAOB-registered firms. 
However, the commenter did not specify any omitted compliance costs and 
did not consider in the comment the benefits that will accrue to 
investors, as noted in the proposal and in this release. The Board also 
noted previously that the economic analysis separately analyzes 
benefits and costs.
    The compliance costs associated with the required confidential 
reporting of financial statements will include personnel, technology, 
and processing costs incurred to compile financial statements in 
accordance with an accrual basis of accounting and to delineate revenue 
and operating income by service line. In addition, firms will incur 
costs to report significant ownership interests, private equity 
investment, unfunded pension liabilities, and related party 
transactions. Firms will incur one-time costs to establish reporting 
processes as well as recurring costs to maintain those processes. Firms 
will also incur costs to the extent that they maintain two sets of 
financial records--e.g., one set on an accrual basis and one set in 
accordance with another basis. The audit firms subject to the 
confidential financial statement reporting requirement, and any related 
costs, will be limited to firms that have more than 200 audit reports 
issued for issuer audit clients and more than 1,000 personnel during a 
relevant reporting period. PCAOB staff analysis of the reporting 
threshold found that seven firms, including six U.S. GNFs, currently 
fall within the reporting threshold. The costs will be mitigated to the 
extent that firms currently compile financial statements in accordance 
with an accrual basis of accounting, delineate revenue and operating 
income by service line, and track significant ownership interests, 
private equity investment, unfunded pension liabilities, and related 
party transactions.
    The required basis of accounting in the proposal was an applicable 
financial reporting framework (e.g., GAAP or IFRS). Commenters 
generally affirmed that firms would have incurred costs to compile 
financial statements in accordance with an applicable financial 
reporting framework. One commenter asserted that the proposal 
underestimated the nature and extent of the costs to compile financial 
statements under an alternative basis of accounting. The commenter 
affirmed that the reporting requirements would have resulted in firms 
maintaining two sets of financial records, as noted in the proposal. 
One commenter agreed that costs would have included technology updates 
as noted in the proposal and suggested that costs would have included 
collaboration with engagement teams. One commenter said that firms 
would have had to make significant investments of time and resources to 
establish reporting processes and would have incurred costs to maintain 
those processes on an annual basis. The commenter also asserted that 
investor education would have been necessary to help investors digest 
information in the financial statements. Two commenters noted that 
firms would have had to implement new financial reporting processes and 
controls solely for reporting to the PCAOB. One commenter asserted that 
compiling financial statements in accordance with an applicable 
financial reporting framework would have entailed significant time and 
expense for firms of all sizes and that the costs would have greatly 
exceeded any perceived regulatory benefits. Some commenters asserted 
that requiring an applicable financial reporting framework would have 
reduced incentives for larger audit firms to accept issuer audit 
engagements or grow their practice to avoid exceeding the reporting 
thresholds. Some commenters suggested that the proposed extended 
transition period for providing financial statements would not have 
provided relief to firms because costs would have been incurred to 
compile financial statements in accordance with an applicable financial 
reporting framework in order to comply with the transition 
reconciliation requirements.
    In response to commenters' concerns regarding the costs of 
compiling financial statements in accordance with an applicable 
financial reporting framework, the Board has revised the

[[Page 96775]]

requirement for financial statements to be compiled in accordance with 
an accrual basis of accounting, rather than an applicable financial 
reporting framework. To the extent that firms do not compile financial 
statements in accordance with an accrual basis of accounting, the Board 
believes that firms will incur costs as explained above. As explained 
above, U.S. GNFs generally compile financial statements in accordance 
with an accrual basis of accounting. In addition, PCAOB staff analysis 
of the reporting threshold found that for the 2024 Form 2 reporting 
year, one firm exceeded 200 audit reports issued but had fewer than 800 
employees, and one firm exceeded 1,000 employees but had just over 170 
audit reports issued. The Board concludes that there appear to be few 
audit firms under the reporting threshold but close enough to it that a 
financial statement reporting requirement will be triggered. The final 
rule also eliminates the three-year transition period along with the 
requirement for an applicable financial reporting framework. Finally, 
the Board does not expect firms to incur costs to provide education to 
investors because the financial statements will be reported 
confidentially to PCAOB.
    The Board has retained the proposed requirement to delineate by 
service line and clarifying that the delineation includes, at a 
minimum, revenue and operating income. Some commenters noted that 
requiring delineation by service line will result in additional effort 
and cost. To the extent that firms do not currently delineate revenue 
and operating income by service line, the Board agrees that firms will 
incur costs as explained above. Costs to delineate operating income by 
service line may include delineating expenses by service line to 
compile a measure of operating income by service line. However, the 
Board expects that firms will be able to manage costs associated with 
delineating revenue and operating income by service line because these 
activities are closely related to the firms' core competencies.
    The compliance costs associated with the required special reporting 
of material specified events and significant cybersecurity incidents 
will include costs incurred to identify, monitor, and assess the events 
that are newly subject to the reporting requirements. The Board 
anticipates that these costs will be mitigated to the extent that firms 
already maintain risk management frameworks to actively identify, 
monitor, and assess events. For example, PCAOB staff observations of 
the largest firms indicate that those firms already have systems for 
monitoring and responding to the occurrence of cybersecurity incidents. 
In addition, the required reporting for the additional specified events 
is subject to limiting principles--including the materiality threshold 
and events that affect the provision of audit services--that are 
intended to scope events to those that warrant reporting. The 
subsequent costs will depend on the frequency of reportable events. 
Costs will be mitigated to the extent that reportable events occur 
infrequently because firms will not be required to file Form 3 in the 
absence of events. The costs associated with the changes, however, will 
increase with the frequency of reportable events at firms, including 
any follow-ups related to reportable events.
    Some commenters affirmed that firms will incur costs associated 
with reporting the material specified events. One commenter said there 
will be costs associated with establishing new reporting mechanisms. A 
firm commenter asserted that the proposal significantly underestimated 
the complexity and cost of the significant expansion of reporting 
requirements on Form 3 because reporting will require a significant 
amount of manual coordination among people in several different 
functions within the firm. The Board continues to believe that firms 
will incur costs associated with reporting the material specified 
events, including coordination costs within firms. While the proposal 
would have imposed the reporting requirements on all firms, the final 
rule imposes them only on annually inspected firms. Thus, the vast 
majority of audit firms will not incur costs associated with reporting 
the material specified events.\275\
---------------------------------------------------------------------------

    \275\ For 2023, there were 14 annually inspected firms. See 
PCAOB, Spotlight: Staff Update on 2023 Inspection Activities (Aug. 
2024).
---------------------------------------------------------------------------

    One firm commenter suggested that the material specified events 
include matters that firms already raise with PCAOB inspectors and that 
mandating reporting of the events outside the inspection process will 
increase costs for firms because firms will have to modify their 
external reporting systems to capture, evaluate, and submit the 
information. While the Board continues to believe that the costs of 
reporting the material specified events will be mitigated to the extent 
that firms already report the events to the PCAOB through the 
inspection process, the Board agrees that firms will incur costs to 
report the material specified events. In addition, the Board believes 
that more timely reporting of events on Form 3, rather than through 
potentially less timely inspections, will enhance PCAOB oversight and 
benefit firms and investors through better-informed regulatory 
assessment of the events.
    The compliance costs associated with the required special reporting 
of material specified events and significant cybersecurity incidents 
will also include costs incurred to report within the specified time 
period. The filing deadline for material specified events is 14 days 
and for significant cybersecurity incidents is 5 business days. The 
filing deadline for existing specified events will remain at 30 days. 
The costs associated with the deadlines for material specified events 
and significant cybersecurity incidents will include potential 
processing updates, expedited review, and revised administrative 
efforts for filings. The costs are likely to be greater for firms that, 
due to operating circumstances, currently take all of the 30-day period 
to complete and file Form 3. These firms may have to allocate 
additional resources--such as in-house personnel or capital investment 
in automated filing processes--to comply with the shorter deadlines for 
material specified events and significant cybersecurity incidents. The 
costs may be mitigated to the extent that firms choose to automate 
processes, which could be more likely for larger firms, or to the 
extent that firms already file Form 3 within 14 days after a reportable 
event, which as noted above was 12.1 percent of specified events 
reported during the period 2018-2022. Reporting within 14 days is a 
practice with which audit firms are familiar, as reporting by companies 
on Form 8-K is generally required by the SEC within four business days 
after a reportable event.
    Several commenters agreed that firms will incur costs associated 
with shorter Form 3 filing deadlines and suggested that automated 
processes will not mitigate the costs. One firm said that the internal 
processes that will need to be developed to gather information and 
involve the necessary individuals will not be automated. Another firm 
said that reporting cannot be automated for many of the specified 
events because the events will require qualitative judgments by teams 
of people as well as reviews by senior firm leaders. One commenter 
suggested that firms may incur significant costs to comply because firm 
management may need to meet with key firm leaders more frequently. A 
firm commenter suggested there will be costs to establish policies and 
procedures in a firm's QC system to more frequently monitor events and 
determine when a reporting obligation is triggered. Another firm 
commenter

[[Page 96776]]

said that operating processes twice as frequently will increase the 
cost to comply with Form 3 requirements and affirmed that smaller firms 
will be disproportionately affected because there are fewer engagements 
over which to distribute the costs.
    The Board agrees that automated processes will not mitigate costs 
associated with the analysis and evaluation that are required to manage 
and respond to an event. However, the Board continues to believe that 
automated processes may mitigate costs associated with potential 
processing updates, expedited review, and revised administrative 
efforts because those activities are amenable to automation. The Board 
also agrees with the potential disproportionate cost impact on smaller 
firms but notes that smaller firms may also experience fewer and 
smaller scale reportable specified events because of their smaller 
size. In addition, the decision to apply the 14-day filing deadline 
only to material specified events and the 5-business-day filing 
deadline to significant cybersecurity incidents, will mitigate costs 
associated with the filing deadlines. Moreover, the decision to limit 
the reporting requirements for material specified events to annually 
inspected firms will reduce the number of firms subject to costs 
associated with the Form 3 filing deadlines for material specified 
events.
    As discussed in the proposal, the Board considered quantification 
of the compliance burden that firms will incur to complete the 
reporting requirements on Form 2 and Form 3 using a methodology similar 
to the methodology used by federal agencies under the Paperwork 
Reduction Act (PRA).\276\ The methodology requires an estimate of 
burden hours imposed on respondents. In the case of Form 2 and Form 3, 
respondents are audit firms. The Board explored five potential options 
to estimate burden hours. First, the Board considered whether 
information has already been reported by firms to PCAOB regarding 
burden hours, but no information regarding burden hours has been 
reported by firms. Second, the Board explored the availability of 
burden hours imposed by comparable federal forms but based on the 
unique nature of Form 2 and Form 3, PCAOB staff was not aware of any 
comparable federal forms. Third, the Board inquired about PCAOB staff 
experience working with firms to complete Form 2 and Form 3 to assess 
the possibility of estimating burden hours based on expert judgment. 
However, PCAOB staff has not worked directly with firms to complete the 
forms, and the time burden could vary across firms based on factors 
such as: (i) the size of a firm's audit practice; (ii) the use of 
manual or automated processes to complete Form 2; and (iii) the nature 
and complexity of events reported on Form 3. Fourth, the Board analyzed 
PCAOB data generated during the filing of Form 2 and Form 3, including 
length of time to submit the forms calculated from time stamps 
collected when the forms are first initiated and when the forms are 
finally filed. The Board concluded that the wide variation in length of 
time across firms would serve as an indicator of the duration the forms 
are open but not necessarily firm effort to complete the forms. 
Finally, the Board considered a survey of firms to directly collect 
data regarding burden hours and decided to include a question in the 
proposal.
---------------------------------------------------------------------------

    \276\ See A Guide to the Paperwork Reduction Act, available at 
https://pra.digital.gov/burden/estimation.
---------------------------------------------------------------------------

    Several commenters noted that the proposal did not quantify the 
economic impacts. One commenter noted the explanation in the proposal 
of the Board's considerations regarding quantification of the 
compliance burden using a PRA methodology and asserted that the 
approach is not an appropriate substitute. Another commenter suggested 
that the PCAOB should undertake a more rigorous economic evaluation 
that complies with the Paperwork Reduction Act. One commenter expressed 
that quantification of the economic impacts to the overall capital 
markets should include consideration of costs incurred by smaller firms 
and benefits to stakeholders in the companies the smaller firms audit.
    The proposal and this release explain the Board's considerations 
regarding quantification of the compliance burden and the Board's 
general lack of data to quantify the economic impacts. For compliance 
costs, the proposal attempted to collect data from stakeholders 
regarding burden hours to complete Form 2 or Form 3 that could 
potentially enable quantification using a PRA methodology. The proposal 
also requested whether commenters were aware of any methodologies, 
including related studies or data, that could enable quantification of 
costs or benefits. One commenter affirmed that certain questions in the 
proposal suggested that the PCAOB expects other parties to provide 
data. Another commenter noted that audit firms are the best source of 
data regarding costs. However, commenters did not provide any data 
regarding burden hours or suggestions where the Board may find data 
regarding burden hours. Without a reasonably informed estimate of 
burden hours incurred to complete Form 2 or Form 3, the Board is unable 
to reliably quantify the compliance burden using a PRA methodology. 
Moreover, the proposal and this release explain the Board's 
considerations of the costs incurred by smaller firms and benefits to 
investors and audit committees, which includes investors and audit 
committees of companies the smaller firms audit.
    One commenter asserted that the lack of quantification is of 
particular concern because the PCAOB has collected a significant amount 
of data for inspection purposes. The commenter suggested that PCAOB 
staff could use data collected in the inspection process to develop 
anonymized illustrations to demonstrate how the required disclosures 
and confidential reporting could be used and to estimate the related 
costs. The proposal and this release note that supplemental information 
is collected in the inspection process. In addition, the proposal and 
this release describe investors' and audit committees' uses of the 
required disclosures as well as PCAOB uses of the confidential 
reporting, which reflect, in part, PCAOB staff experience with 
information collected in the PCAOB inspection process. Moreover, PCAOB 
staff reviewed and considered information collected in the inspection 
process and concluded that it does not include data or other 
information that would enhance the Board's description of the uses of 
the required disclosures or confidential reporting or enable reliable 
quantification of the economic impacts for the Firm Reporting rule.
ii. Indirect Costs
    As discussed above, enhanced transparency of audit firms may prompt 
some firms to manage their operating characteristics in anticipation of 
investor and audit committee reactions to the required disclosures. If 
firms make changes related to their operating characteristics, firms 
will incur costs. For example, firms will incur costs to establish or 
strengthen governing boards, seek network membership, and/or more 
actively participate in networks. Likewise, firms will incur costs to 
improve integration of cybersecurity policies and procedures into their 
risk management systems or to hire cybersecurity consultants. Firms 
will only choose to incur these costs if the firms expect the 
associated benefits to justify the costs, and costs may be 
disproportionately higher for smaller firms to the extent that the 
costs include a fixed component that will be spread

[[Page 96777]]

over fewer audit engagements. The Board next discusses indirect costs 
associated with updating decision-making and monitoring frameworks and 
indirect costs linked to competition.
a. Updating Decision-Making and Monitoring Frameworks
    Once the required disclosures are available to investors and audit 
committees, investors and audit committees will incur one-time costs to 
the extent that they incorporate the new information into their 
decision-making and monitoring frameworks. In addition, investors and 
audit committees will incur recurring costs to continually monitor the 
new information. Additional time and personnel could be required by 
investors and audit committees as firms' filings increase in length and 
complexity. Investors may begin to incorporate the new information into 
their investment decisions or into their evaluation of the firm for 
their votes regarding the ratification proposal, which may generate 
costs associated with reviewing information and understanding potential 
trends. Audit committees may begin to incorporate the new information 
into their search activities for a firm and into their ongoing 
monitoring activities. Audit committees may also spend time discussing 
the new information with the firms, which will cost both audit 
committees' and the firms' time.
    Investors and audit committees will only choose to incur the one-
time and recurring costs of incorporating the new information if they 
expect the associated benefits to justify the costs. Institutional 
investors may be more inclined than retail investors to incur the costs 
because of economies of scale.
    To the extent that audit firms compare their own information 
against the information of other firms, the firms will incur costs to 
monitor their own information and to review and understand their 
competitors' information. GNFs and large NAFs may be able to deploy 
more resources for research and understanding the overall market. 
Smaller NAFs may have fewer resources to fully evaluate the information 
contained in the new disclosures, and as a result, may incur costs to 
retain a competitive knowledge base compared to GNFs and large NAFs. 
Firms will only choose to incur these costs if the firms expect the 
associated benefits to justify the costs.
b. Competition
    As discussed above, the required disclosures may lead audit firms 
to compete on some of the operating characteristics. Such increased 
competition could lead some firms to devote more resources to 
governance efforts, network participation, and cybersecurity risk 
management.
    To the extent that increased competition results in reduced audit 
fees, it could also reduce profitability for audit firms. Lower audit 
fees could be particularly costly for smaller firms in light of fixed 
infrastructure costs and any fixed component of compliance costs that 
will be spread over fewer audit engagements and further reduce 
profitability. Although lower audit fees may constitute a cost to 
firms, lower fees will directly benefit issuers and indirectly benefit 
investors.
    Several commenters noted that the reporting requirements could have 
competitive impacts on smaller firms. Some commenters suggested that 
the reporting requirements could reduce competition by driving firms to 
deregister to avoid the reporting requirements. One commenter suggested 
that the reporting requirements could significantly increase barriers 
to entry for smaller firms and increase concentration of firms in the 
audit market. One commenter expressed concern that the detailed level 
of reporting requirements could impact the competitiveness of smaller 
firms. Another commenter suggested that the reporting requirements 
could affect the ability of smaller and mid-sized firms to compete and 
possibly lead to higher market concentration.
    As noted in the proposal and above in this section, smaller firms 
could be subject to lower profitability associated with the reporting 
requirements. The Board also believes that some firms may deregister or 
otherwise exit the market as discussed in the proposal and below or 
simply not enter the market, which could lead to higher market 
concentration for PCAOB audits to the extent that the deregistering or 
exiting firms performed issuer or broker-dealer audits. However, 
economic theory is inconclusive on the relationship between audit 
market competition and audit quality \277\ and between audit market 
concentration and audit quality.\278\
---------------------------------------------------------------------------

    \277\ See, e.g., Pan, et al., The Dark Side 1.
    \278\ See, e.g., Jeff P. Boone, Inder K. Khurana, and K.K. 
Raman, Audit Market Concentration and Auditor Tolerance for Earnings 
Management, 29 Contemporary Accounting Research 1171 (2012) 
(explaining that audit market concentration could limit a company's 
choice of auditor and foster complacency among auditors, resulting 
in a more lenient and less skeptical approach to audits and lower 
service quality, or that audit market concentration could raise 
audit quality by lowering the need to please a client and by 
strengthening the auditor's professional values and traditional 
commitment to the independent watchdog function).
---------------------------------------------------------------------------

c. Other Indirect Costs
    Economic theory suggests that firms may pass on to companies 
certain costs in the form of higher audit fees.\279\ The degree to 
which increases in variable costs, such as firm compliance costs, are 
expected to be passed on will vary based on how wide-spread the costs 
are across competitors. Increases in variable costs that impact all 
sellers in an imperfectly competitive market are more likely to be 
passed on than cost increases that impact only a subset of 
sellers.\280\ If costs have a greater impact on a subset of firms, such 
as smaller firms, those firms may be less inclined to pass on the 
incremental costs in order to stay competitive with larger firms to the 
extent that smaller firms compete with larger firms.
---------------------------------------------------------------------------

    \279\ Economic theory suggests that fixed costs are less likely 
to be passed on. Only changes to variable costs are generally 
expected to impact sellers' pricing decisions. See, e.g., Mankiw, 
Principles of Economics 284, 307 (showing that the profit-maximizing 
price is a function of marginal cost rather than fixed costs).
    \280\ See, e.g., Erich Muehlegger and Richard L. Sweeney, Pass-
Through of Own and Rival Cost Shocks: Evidence from the U.S. 
Fracking Boom, 104 Review of Economics & Statistics 1361 (2022).
---------------------------------------------------------------------------

    One commenter noted that the SEC has various rule requirements and 
proposed rules for the use of PCAOB-registered and inspected audit 
firms that apply to entities other than issuers or registered broker-
dealers and that the proposal failed to consider the consequences for 
these entities and the ability of the entities to engage audit firms to 
comply with the SEC requirements. The commenter provided two examples 
of SEC rules.\281\ One rule was recently vacated \282\ and the other is 
a proposal. However, the Board agrees that the final rule will 
indirectly impact entities other than issuers and registered broker-
dealers to the extent that the entity is required under SEC rules to 
obtain an audit from a PCAOB-registered firm or a PCAOB-registered and 
inspected audit firm \283\ and the

[[Page 96778]]

firm chooses to pass on to the entity any part of the costs associated 
with the reporting requirements. As noted above in this section, 
smaller audit firms may be less inclined to pass on higher costs 
associated with the reporting requirements. To the extent that the 
entity prefers a smaller firm, the entity could have fewer audit firms 
to choose from if smaller firms exit the market, as discussed in a 
below section. However, the entity could also accrue benefits 
associated with the required disclosures to the extent that more 
information will be available to select an audit firm.
---------------------------------------------------------------------------

    \281\ See Private Fund Advisers; Documentation of Registered 
Investment Advisers Compliance Reviews, SEC Rel. No. IA-6383 (Aug. 
23, 2023); Safeguarding Advisory Client Assets, 88 FR 14672-14792 
(Mar. 9, 2023).
    \282\ See National Association of Private Fund Managers v. SEC, 
23-60471 U.S. 1 (5th Cir. 2024).
    \283\ The SEC has promulgated rules requiring the use of PCAOB-
registered or PCAOB-registered and inspected audit firms by entities 
other than issuers and registered broker-dealers, including certain 
investment advisers, pooled investment vehicles, security-based swap 
data repositories, and clearing agencies. See, e.g., 17 CFR 
275.206(4)-2 (custody of funds or securities of clients by 
investment advisors); 17 CFR 240.13n-11 (chief compliance officer of 
security-based swap data repository; compliance reports and 
financial reports); 17 CFR 240.17ad-22 (standards and clearing 
agencies); 17 CFR 240.15c3-1g (conditions for ultimate holding 
companies of certain brokers and dealers, Appendix G to 17 CFR 
240.15c3-1); and 17 CFR 240.18a-1 (net capital requirements for 
security-based swap dealers for which there is not a prudential 
regulator).
---------------------------------------------------------------------------

3. Unintended Consequences
    In addition to the benefits and costs discussed above, the final 
rule could have unintended economic consequences. The following 
discussion describes potential unintended consequences the Board has 
considered and, where applicable, any mitigating or countervailing 
factors.
i. Misinterpretation and Insufficient Context
    The required disclosures could be misinterpreted or lack sufficient 
context and therefore generate unexpected outcomes for market 
participants.\284\ Several commenters questioned whether investors and, 
to a lesser extent, audit committees might reach inappropriate 
conclusions without sufficient context for the required disclosures. 
One commenter suggested that a data dump of information could result in 
information overload and more liability for audit committees if they do 
not consider certain information. One commenter said that the 
governance disclosures may require significant context to be 
understood. Two commenters asserted that disclosures of certain 
network-related information is complex and could lead to 
misinterpretation without sufficient context. Another commenter 
suggested that providing the required disclosures publicly could 
undermine the audit committee chair's role because investors will not 
be privy to the audit firm's conversations with the company's audit 
committee, and investors will thus be missing contextual information 
for any evaluation of a firm's disclosures. One commenter reported 
results of a survey of 100 institutional investor respondents regarding 
their beliefs about context and found that 42 percent of respondents 
strongly agreed and 38 percent agreed that firm and engagement-level 
metrics without context cannot adequately communicate factors relevant 
to a particular audit engagement or firm.\285\
---------------------------------------------------------------------------

    \284\ See, e.g., Michael Mowchan and Philip M.J. Reckers, The 
Effect of Form AP on Auditor Liability when Engagement Partner 
Disclosure Shows a History of Restatements, 35 Accounting Horizons 
127 (2021) (finding that jurors' assessments of audit firm liability 
increase following firms' audit-quality-related interventions 
designed to address audit failures).
    \285\ See CAQ Investor Survey. The survey question asked, ``How 
strongly do you agree or disagree with the following statements 
about mandated disclosures of firm and engagement-level metrics?''
---------------------------------------------------------------------------

    This potential unintended consequence will be mitigated as 
investors and audit committees iteratively select and monitor firms and 
advance their understanding of the information content of the required 
disclosures. Audit firms will be able to use narrative disclosures to 
provide context they deem most relevant to facilitate investors' and 
audit committees' understanding. In addition, investors and audit 
committees will be able to seek relevant context when necessary in 
order to avoid misinterpreting the information. For example, lack of 
context may lead to more targeted communication between audit firms and 
audit committees and between investors and audit committees to obtain 
relevant context. Rather than undermining the audit committee chair's 
role, more targeted communication between investors and audit 
committees could support the audit committee chair by enhancing the 
audit committee's effectiveness through accountability to investors. In 
addition, audit committees may become more transparent regarding their 
selection decisions and subsequent monitoring in light of a richer 
information environment and more targeted communication with investors. 
Moreover, neither the proposal nor the final rule call for a data dump 
of information, and audit committees will still be able to focus on the 
information they feel is decision-useful in order to manage any 
liability. Finally, the Board has refined the required disclosures as 
compared to the proposal, such as reducing information required for 
fees and governance, to simplify the required disclosures in response 
to commenter feedback.
ii. Cybersecurity
    As a general matter regarding cybersecurity disclosures, the 
potential cybersecurity vulnerability of a firm could increase via 
disclosures of cybersecurity policies and procedures.\286\ If 
cybersecurity disclosures are sufficiently detailed, the disclosures 
may provide meaningful information to malicious actors to target the 
firm. Malicious actors could use information from disclosed policies 
and procedures to target weaker firms. Some firms agreed that there 
could be potential malicious actors that could use such information in 
a nefarious manner. Two commenters suggested that cybersecurity 
policies and procedures should be reported confidentially rather than 
publicly disclosed to avoid needlessly exposing a firm to potential 
risks and revealing potential weaknesses in policies and procedures 
that could be exploited by potential attackers. Another commenter 
expressed support for high-level disclosure of cybersecurity policies 
and procedures but was opposed to providing specific information as the 
commenter believes it could lead to a firm's and an issuer's security 
being compromised. The Board agrees with these concerns, which is 
reflected by deeming confidential the special reporting of significant 
cybersecurity incidents. In addition, this potential unintended 
consequence will be mitigated by this release's clarification that the 
requirement is not intended to elicit detailed, sensitive information. 
The potential unintended consequence will also be mitigated to the 
extent that a firm decides to enhance its cybersecurity risk management 
in anticipation of the required disclosures. In addition, academic 
research that studies cybersecurity vulnerabilities suggests that 
detailed cybersecurity disclosures do not lead to more attacks.\287\ 
However, the Board notes that findings from the research may not be 
generalizable to the required cybersecurity disclosures.
---------------------------------------------------------------------------

    \286\ See, e.g., Roland L. Trope and Sarah Jane Hughes, The SEC 
Staffs `Cybersecurity Disclosure' Guidance: Will it Help Investors 
or Cyber-thieves More?, Business Law Today 1, 6 (2011) (concluding 
that cybersecurity disclosures that are meaningful enough to enable 
investors to accurately price companies' securities may also contain 
information of value to cybercriminals seeking to exploit a 
cybersecurity vulnerability).
    \287\ See, e.g., He Li, Won Gyun Non, and Tawei Wang, SEC's 
Cybersecurity Disclosure Guidance and Disclosed Cybersecurity Risk 
Factors, 30 International Journal of Accounting Information Systems 
40 (2018) (finding that measures of specificity of incidents do not 
have a statistically significant relation with subsequent 
cybersecurity incidents); Tawei Wang, Karthik N. Kannan, and Jackie 
Rees Ulmer, The Association between the Disclosure and the 
Realization of Information Security Risk Factors, 24 Information 
Systems Research 201, 215 (2013) (finding that companies that 
disclose risk-mitigating information are less likely to be 
associated with cybersecurity incidents).
---------------------------------------------------------------------------

    One commenter suggested that creating a new cybersecurity incident

[[Page 96779]]

reporting requirement for audit firms adds a layer of complexity and 
obligation at a time when valuable resources should be dedicated to 
protecting systems and data by remediating the incident. Several 
commenters suggested that imposing an independent cybersecurity 
incident reporting obligation on firms that differs from other 
cybersecurity incident reporting frameworks could lead to confusion 
among security professionals regarding the circumstances in which a 
reporting requirement is triggered, and possibly conflicting 
requirements. Two commenters questioned the usefulness and efficiency 
of the cybersecurity incident reporting requirement due to the presence 
of other regulatory obligations to report cybersecurity incidents. Some 
commenters suggested the information provided in the cybersecurity 
incident report may be indeterminate because a firm may be continuing 
to gather facts to understand the incident, which could also delay 
investigating and remediating the incident. One commenter expressed 
concern about the ability of firms to assess the ramifications of a 
significant cybersecurity incident and provide meaningful disclosures 
within a 5-business-day filing deadline.
    The Board agrees that the PCAOB cybersecurity incident reporting 
requirements may create additional reporting requirements that differ 
from other reporting frameworks. However, as noted in the Discussion of 
the Reporting Updates section, the Board does not believe there are any 
known direct conflicts between the additional PCAOB reporting 
requirements and other reporting frameworks. In addition, the PCAOB 
reporting requirements for significant cybersecurity incidents are only 
triggered when a firm has a significant cybersecurity incident rather 
than on a periodic basis. Moreover, the PCAOB reporting requirements 
are designed specifically with the protection of investors and the 
public in mind for the provision of public company audits by PCAOB-
registered audit firms, so any additional PCAOB reporting requirements 
will supplement any gaps in other reporting frameworks. The Board 
believes that the reporting requirements for significant cybersecurity 
incidents are not onerous and primarily require general, high-level 
information regarding the incident. Finally, the required reporting for 
significant cybersecurity incidents is confidential rather than 
publicly disclosed, and as described in the Discussion of the Reporting 
Updates section, the required reporting focuses on ``any determined 
effects of the incident on the firm's operations'' rather than 
assessing ramifications of the incident.
iii. Audit Firms May Exit the Market
    Profitability of some firms could be negatively impacted by the 
costs of the final rule. In addition, firms that are less able to 
compete on the operating characteristics could lose market share or be 
forced to lower their audit fees, resulting in strains on their 
profitability. In some cases, firms that are less able to compete by 
managing their operating characteristics as described in a section 
above may be forced to exit the market, thereby reducing the overall 
capacity of the audit market. This consequence could disproportionately 
affect smaller firms and the issuers they audit compared to larger 
firms.
    This potential unintended consequence may be mitigated to the 
extent that more competitive firms in the smaller issuer audit market 
could expand their market share, perhaps by absorbing additional 
capacity from exiting firms.\288\ This potential unintended consequence 
will also be mitigated to the extent that the final rule provides 
accommodation for smaller firms, including reducing the disaggregated 
information required for fees, exempting smaller firms from 
confidentially reporting financial statements and material specified 
events, and adopting phased implementation.\289\
---------------------------------------------------------------------------

    \288\ See, e.g., Jennifer Blouin, Barbara Murray Grein, and 
Brian R. Rountree, An Analysis of Forced Auditor Change: The Case of 
Former Arthur Anderson Clients, 82 The Accounting Review 621 (2007) 
(finding that former Arthur Anderson clients with greater switching 
costs followed their audit team to a new auditor). The Board notes 
that this outcome was realized for larger firms and may not be 
realized for smaller firms.
    \289\ The Board also considered that limiting the reporting 
requirements for material specified events to annually inspected 
firms could reduce incentives for audit firms near the 100-issuer 
reporting threshold to accept issuer audit engagements or grow their 
practice to avoid exceeding the threshold. Staff analysis of signed 
public company audit opinions indicate that, during the 2023 
calendar year, the number of firms near the threshold included two 
U.S. NAFs that signed between 80 and 100 opinions and two U.S. NAFs 
that signed between 100 and 120 opinions. The Board concludes that 
there currently appear to be few audit firms near the threshold.
---------------------------------------------------------------------------

    Several commenters noted the potential unintended consequence that 
audit firms may exit the market. One commenter suggested that over-
regulating can have a detrimental effect on the ability of smaller and 
mid-sized firms to practice within the public company audit market. 
Some firm commenters asserted that the more regulatory costs that are 
imposed on firms, the more likely smaller and mid-sized firms will opt 
out of participating in the issuer and broker-dealer audit market. One 
commenter claimed that they have observed smaller firms exiting the 
public company audit market due to increasing difficulties complying 
with PCAOB reporting requirements. As noted in the proposal and in this 
release, the Board agrees there is a potential unintended consequence 
that audit firms may exit the market as a result of the reporting 
requirements.
    One commenter cited an academic study that found no evidence that 
smaller firms that exited the market for SEC client audits following 
the introduction of Sarbanes-Oxley in 2002 were of lower quality than 
successor smaller firms that did not exit the market, suggesting that 
if smaller firms exit the public company audit market for reasons other 
than inability to provide high quality audit services, audit quality 
could be negatively affected.\290\ The Board believes the commenter 
implies that issuers or broker-dealers may not necessarily obtain a 
higher quality audit after switching to a new auditor that has remained 
in the market. The academic study cited by the commenter acknowledges 
that prior research using other audit quality proxies finds the 
opposite result--i.e., exiting firms indeed have lower audit 
quality.\291\ Firm size is a widely accepted proxy for audit 
quality,\292\ and PCAOB oversight activities indicate that 
noncompliance with auditing standards is higher among triennially-
inspected NAFs.\293\ Therefore, to the extent that smaller firms tend 
to exit rather than larger firms, as commenters contend, then audit 
quality could improve on average as issuers and broker-dealers switch 
to larger firms. The Board notes there is currently some debate on the 
extent to which the large-firm audit quality effect is driven by 
correlated issuer characteristics rather than auditor

[[Page 96780]]

effects.\294\ However, the Board believes compliance with auditing 
standards is less sensitive to issuer characteristics than other audit 
quality proxies (e.g., earnings quality). Subject to other market 
concentration effects arising from exit along with the procompetitive 
effects of the final rule, the Board believes that, on average, the 
firms that any issuers or broker-dealers would switch to would likely 
not provide lower quality audits.
---------------------------------------------------------------------------

    \290\ See Neil L. Fargher, Alicia Jiang, and Yangxin Yu, Further 
Evidence on the Effect of Regulation on the Exit of Small Auditors 
from the Audit Market and Resulting Audit Quality, 37 Auditing: A 
Journal of Practice & Theory 95 (2018).
    \291\ See Mark L. DeFond and Clive S. Lennox, The Effect of SOX 
on Small Auditor Exits and Audit Quality, 52 Journal of Accounting 
and Economics 21 (2011).
    \292\ See, e.g., DeFond and Zhang, A Review of Archival Auditing 
Research 275.
    \293\ See, e.g., PCAOB, Spotlight: Staff Update on 2023 
Inspection Activities (Aug. 2024), available at https://pcaobus.org/resources/staff-publications; A Firm's System of Quality Control and 
Other Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. 
No. 2024-005 (May 13, 2024), at Figure 1.
    \294\ See, e.g., Alastair Lawrence, Miguel Minutti-Meza, and 
Ping Zhang, Can Big 4 Versus non-Big 4 Differences in Audit-Quality 
Proxies be Attributed to Client Characteristics?, 86 The Accounting 
Review 259 (2011); Mark DeFond, David H. Erkens, and Jieying Zhang, 
Do Client Characteristics Really Drive the Big N Audit Quality 
Effect? New Evidence from Propensity Score Matching, 63 Management 
Science 3628 (2017).
---------------------------------------------------------------------------

    One commenter asserted that scores of firms have voluntarily exited 
the public company audit market based on strategic decisions in which 
the firms weighed the increasing costs of continued PCAOB registration 
against potential benefits. The commenter cited research that documents 
approximately 60 percent of small PCAOB registered audit firms 
deregistered during the period 2003-2018.\295\ However, the research 
found that firms experiencing more lawsuits and receiving more negative 
signals of audit quality through PCAOB inspections and enforcement are 
more likely to deregister, while there was no evidence that new PCAOB 
disclosure rules for Form 2, Form 3, and Form AP, which became 
effective during the test period, incentivized deregistration.\296\
---------------------------------------------------------------------------

    \295\ See Michael Ettredge, Juan Mao, and Mary S. Stone, Small 
Audit Firms' Public Market Exits, Business Model Changes, and Market 
Consequences, available on SSRN: https://ssrn.com/abstract=4737583 
(2024). The Board notes that SSRN does not peer review its 
submissions.
    \296\ See Ettredge, et al., Small Audit Firms' Public Market 
Exits (concluding that results for three regulatory shocks--Form 2/
Form 3, Form AP, and broker-dealer registrations--suggest that the 
costs to smaller audit firms of complying with new PCAOB regulations 
were not large enough to sway the deregistration decisions of firms 
with public company clients and SEC-registered broker-dealer 
clients).
---------------------------------------------------------------------------

    One commenter claimed based on survey results that the cost burden 
will likely accelerate the exit of smaller and mid-sized firms from the 
public company audit market. While the comment letter was submitted to 
both the Firm and Engagement Metrics docket and the Firm Reporting 
docket,\297\ the survey appears to have been conducted solely for the 
Firm and Engagement Metrics proposal.\298\ While the Board notes the 
point raised by the commenters regarding potential market exit as a 
result of cost burden, the commenter provided no information that would 
help assess the significance of potentially exiting firms to the 
overall audit market. In addition, the commenter provided little detail 
on how the survey was performed to understand whether the results could 
be generalized to the Firm Reporting rule.
---------------------------------------------------------------------------

    \297\ See Firm and Engagement Metrics, PCAOB Rel. No. 2024-002 
(Apr. 9, 2024).
    \298\ The comment letter noted that the survey asked, ``If the 
11 metrics proposal is adopted, what impact would this have on your 
firm's interest in continuing to do public company auditing?'' Of 
the survey responses provided in the comment letter, 6 percent 
responded they would definitely get out of the public company 
market, 17 percent responded they would strongly consider getting 
out of the public company market, 28 percent responded they would 
consider getting out of the public company market, 25 percent 
responded they would eliminate or manage their client base of 
accelerated filers and large accelerated filers, and 25 percent 
responded they intend to stay in the public company market for the 
foreseeable future.
---------------------------------------------------------------------------

iv. Smaller Companies
    Several commenters noted a potential unintended consequence for 
smaller companies to have less incentive to go public or remain public. 
One commenter suggested that the exit of smaller audit firms and higher 
costs for remaining firms can result in higher costs to smaller private 
companies, deterring them from going public. One commenter suggested 
that the proposal failed to address the effects of the reporting 
requirements on initial public offerings (IPOs) and going-private 
activities. One commenter suggested that fewer smaller audit firms and 
higher audit fees will strain new capital formation and move investors 
toward private equity investments that are not available to many 
investors. Another commenter, representing smaller and mid-sized firms, 
asserted that rising costs of regulation increases the likelihood that 
smaller companies either go private or are deterred from entering 
capital markets. The commenter cited an SEC report that shows in 2022, 
the number of exchange-listed IPOs dropped to its lowest point since 
2009.\299\ The commenter also explained that the SEC report noted that 
smaller public companies and new public companies face 
disproportionately high regulatory costs and that smaller exchange-
listed companies account for the vast majority of the decline in 
exchange-listed companies.\300\ The commenter recommended that the 
economic analysis for Firm Reporting and for future PCAOB proposals 
include a specific study of the costs and benefits to smaller firms and 
smaller public companies. Another commenter suggested that a reduction 
in the number of audit firms that service the 40 percent of smaller 
issuers that represent less than 2 percent of overall market 
capitalization could increase the concentration of public companies 
audited by large international firms.
---------------------------------------------------------------------------

    \299\ See SEC Office of the Advocate for Small Business Capital 
Formation, Annual Report Fiscal Year 2023 (2023) (``SEC Annual 
Report'').
    \300\ See SEC Annual Report; Michael Ewens, Kairong Xiao, and 
Ting Xu, Regulatory Costs of Being Public: Evidence from Bunching 
Estimation, 153 Journal of Financial Economics (2024).
---------------------------------------------------------------------------

    While the Board believes that any impact on audit fees could be 
disproportionately higher for smaller public companies and new public 
companies that are more likely to use smaller audit firms, the Board 
also believes that any impact on audit fees on a company's decision to 
go public or remain public is likely small for several reasons. In 
particular, the Board notes that the relationship between 
disproportionately high regulatory costs and the number of IPOs does 
not appear to be conclusive. While the SEC Annual Report demonstrates 
that smaller exchange-listed companies accounted for the vast majority 
of the decline in exchange-listed companies, the report also cites a 
paper that concludes regulatory cost itself is unlikely to explain the 
full magnitude of IPO decline in the U.S. over the past two 
decades.\301\ The Board also notes that accounting fees typically 
comprise roughly 4.5 percent of the costs of an IPO, 0.3 percent of the 
proceeds, and 32 percent of the recurring incremental costs of being a 
public company.\302\ Any

[[Page 96781]]

increase in incremental costs related to IPO fees attributable to the 
final rule would be a fraction of this. In addition, some of the 
required disclosures could provide information to the smaller company 
market that is currently too costly or unavailable. For example, the 
disclosure of actual fee amounts could reduce the cost of finding a 
suitable audit firm for a smaller company that intends to go public by 
providing a convenient source to identify firms based on the size of 
their audit practice. Moreover, this potential unintended consequence 
will be mitigated to the extent that the final rule provides 
accommodation for smaller firms, including reducing the disaggregated 
information required for fees, exempting smaller firms from 
confidentially reporting financial statements and material specified 
events, and adopting phased implementation.
---------------------------------------------------------------------------

    \301\ See Ewens, et al., Regulatory Costs of Being Public 
(explaining that non-regulatory factors--such as decline in business 
dynamism, shifting investment to intangibles, abundant private 
equity financing, changing economies of scale and scope, and 
changing acquisition behavior--are likely to play a more important 
role than regulatory cost in the decline of IPOs).
    \302\ Staff obtained data on accounting fees and legal fees from 
Audit Analytics and investment bank underwriting fees from a 
PricewaterhouseCoopers market research report. See 
PricewaterhouseCoopers, Considering an IPO? First, Understand the 
Costs, available at https://www.pwc.com/us/en/services/consulting/deals/library/cost-of-an-ipo.html and Audit Analytics, 2018-2019 IPO 
Accounting and Legal Fees (Feb. 20, 2020). Staff calculated the 
accounting fee share of IPO costs as the ratio of all accounting 
fees to all IPO costs across all deals in the Board's sample. The 
staff's analysis assumes IPO costs are equal to the sum of 
accounting, legal, and investment bank underwriting fees. The 
PricewaterhouseCoopers market research report indicates that there 
are other IPO cost categories, but they are relatively small. Staff 
calculated deal proceeds by multiplying the quantity of shares 
issued by their price at issue. Staff calculated the accounting fee 
share of proceeds as the proceeds-weighted average accounting fee 
share of proceeds across all deals in the Board's sample. The Board 
notes that the accounting fee share of proceeds is decreasing in 
deal proceeds. The audit percentage of recurring incremental costs 
was reported directly in the PricewaterhouseCoopers market research 
report based on respondents to a survey of CFOs. The recurring 
incremental costs of being a public company are split across five 
areas in the survey: audit (32 percent), investor relations (22 
percent), financial reporting (18 percent), legal (16 percent), and 
regulatory compliance (12 percent).
---------------------------------------------------------------------------

    One commenter suggested that the PCAOB should identify and evaluate 
the characteristics of investors in smaller companies and determine if 
the needs of investors in those companies are the same as the potential 
needs of investors in larger companies. One recent working paper finds 
that institutional ownership is, on average, lower for smaller 
companies.\303\ In addition, academic research suggests that retail and 
non-professional investors rely on less traditional sources of 
information to inform their decision-making processes, which implies 
that investors in smaller public companies may, on average, be less 
likely to utilize the required disclosures.\304\ However, investor-
related groups, which include representation of investors in a variety 
of company sizes, affirmed the decision-usefulness of the required 
disclosures as noted above. Moreover, the Board believes that investors 
in smaller companies could still benefit from the required disclosures 
because: (i) retail investors would benefit from the improved 
accessibility and comparability of information regarding audit firms 
and (ii) institutional ownership in smaller companies, though less than 
larger companies, is not trivial.\305\ Finally, financial reporting 
quality may be especially relevant for smaller companies.
---------------------------------------------------------------------------

    \303\ See Jonathan Lewellen and Katharina Lewellen, The 
Ownership Structure of U.S. Corporations, available on SSRN: https://ssrn.com/abstract=4173466 (2022). The Board notes that SSRN does 
not peer review its submissions.
    \304\ See, e.g., Cassell, et al., Retail Shareholders and the 
Efficacy of Proxy Voting 75; Hux, How Does Disclosure of Component 
Auditor Use 35.
    \305\ See, e.g., Lewellen and Lewellen, The Ownership Structure 
of U.S. Corporations (finding that institutional ownership is 41.6 
percent for the lowest quintile of companies by market 
capitalization).
---------------------------------------------------------------------------

v. Staff Resources
    Several commenters suggested that the reporting requirements could 
contribute to a regulatory environment that makes the auditing 
profession unattractive. One commenter asserted that over-regulating 
can have a detrimental effect on the attractiveness of an auditing 
career. Another commenter asserted that the reporting requirements will 
undermine the attractiveness of public company auditing and the 
accounting profession and exacerbate staffing challenges for audit 
firms in the short-run and down the road. Another commenter, 
representing audit committee chairs, expressed concern regarding the 
impact that more regulation will have on the auditing profession in the 
eyes of new talent as well as current partners and audit firm staff. 
Another commenter, representing smaller and mid-sized firms, cited 
research that found 94 percent of undergraduate accounting majors who 
have chosen not to pursue, or are undecided on, CPA licensure cite as 
either a major reason or part of reason for the decision the belief 
that the regulatory environment makes the auditing profession 
unappealing.\306\ The commenter also explained that the talent impact 
is more pronounced for smaller and mid-sized firms and noted that their 
personnel are beginning to express a desire to exit auditing work as 
the rewards of the work no longer outweigh the costs.
---------------------------------------------------------------------------

    \306\ See Center for Audit Quality, Increasing the Diversity in 
the Accounting Profession Pipeline: Challenges and Opportunities 
(July 2023) (``CAQ Diversity Report'').
---------------------------------------------------------------------------

    The auditor labor market is likely affected by the interplay among 
numerous factors unrelated to the required disclosures, such as the 
rigor of qualifying for and completing the requirements for CPA 
licensure and the relatively low starting salaries. One commenter 
suggested that firm workloads and work-life balance should be included 
in the root cause analysis of the decline of graduates entering the 
audit profession. The CAQ Diversity Report found that lack of interest, 
low starting salaries, and the 150 credit hour requirement were the top 
three major reasons college students chose non-accounting majors.\307\ 
In addition, the CAQ Diversity Report found that cost and time needed 
to reach 150 credit hours are the biggest obstacles keeping 
undergraduate accounting majors from pursuing CPA licensure.\308\ The 
CAQ Diversity Report also found that the top three major reasons 
undergraduate accounting majors chose not to pursue or were undecided 
on CPA licensure were: (i) regulatory environment makes profession 
unappealing, (ii) not enough diversity, and (iii) starting salaries not 
high enough. The CAQ Diversity Report does not clarify whether 
``regulatory environment'' refers to federal regulation regarding 
accounting and auditing standards or state regulation of the profession 
and the 150 credit hour requirement for CPA licensure. Moreover, while 
94 percent of undergraduate majors who are not pursuing or are 
undecided on CPA licensure cite ``regulatory environment makes 
profession unappealing'' as either a major reason or part of reason, as 
noted by the commenter, the Board notes that 95 percent of the same 
respondents to the same question cite ``starting salaries not high 
enough'' as either a major reason or part of reason.\309\
---------------------------------------------------------------------------

    \307\ See CAQ Diversity Report.
    \308\ See CAQ Diversity Report.
    \309\ These results are consistent with academic research that 
considers supply-side and demand-side explanations regarding the 
decline in accounting college majors. For a supply-side explanation, 
see, e.g., John M. Barrios, Occupational Licensing and Accountant 
Quality: Evidence from the 15-Hour Rule, 60 Journal of Accounting 
Research 3 (2022) (finding that the 150-hour rule for CPA licensure 
decreased the number of entrants into the accounting profession). 
For a demand-side explanation, see, e.g., Henry Friedman, Andrew G. 
Sutherland, and Felix W. Vetter, Technological Investment and 
Accounting: A Demand-Side Perspective on Accounting Enrollment 
Declines, available on SSRN: https://ssrn.com/abstract=4707807 
(2024) (finding that fewer students choose an accounting major and 
more choose a finance major as the wage gap of finance majors over 
accounting majors grows in light of technological development that 
favors finance jobs). The Board notes that SSRN does not peer review 
its submissions.
---------------------------------------------------------------------------

vi. Litigation and Reputation Risks
    Some commenters suggested that the required disclosures could 
create litigation and reputation risk. One of the commenters expressed 
concern whether highly sensitive business and competitive information 
will be immune from civil litigation or other legal processes. One 
commenter said that private litigants will be tempted to serve 
discovery requests on the PCAOB. Another commenter suggested that the 
required disclosures will exacerbate audit firm litigation and 
reputation risks. The commenter suggested that the proposal presented a 
myriad of circumstances that could complicate compliance, including the 
timing of filings. Some commenters said that disclosure of sensitive 
information

[[Page 96782]]

could have legal or regulatory implications, including in jurisdictions 
outside the United States that may have differing laws. One commenter, 
representing audit committee chairs, said that some audit committee 
chairs agreed that the required disclosures could create litigation and 
reputation risks.
    The Board agrees that plaintiff lawyers could seek to use some of 
the required disclosures to support their cases. For example, academic 
research finds that PCAOB inspection reports with audit deficiencies 
are positively associated with the number of lawsuits subsequently 
filed against the inspected auditor.\310\ While the required 
disclosures may not be as clearly linked to legal liability as audit 
deficiencies and could encourage some frivolous lawsuits, the Board 
believes that the threat of litigation and reputational risk could 
largely contribute positively to audit quality because the threat will 
create an incentive for firms to provide high quality audits. Indeed, 
the Board believes the threat of litigation and reputational damage 
could help drive more competition on audit quality, a criterion that 
one of the commenters urged us to consider. Moreover, the reporting 
requirements allow for the confidential reporting of highly sensitive 
information as material specified events on Form 3 rather than 
requiring public disclosure. Finally, the Board also believes that the 
impact on reputation is central to the intended impacts of the required 
disclosures.
---------------------------------------------------------------------------

    \310\ See, e.g., Brant E. Christensen, Nathan G. Lundstrom, and 
Nathan J. Newton, Does the Disclosure of PCAOB Inspection Findings 
Increase Audit Firms' Litigation Exposure?, 96 The Accounting Review 
191 (2021).
---------------------------------------------------------------------------

vii. Diversion of Resources
    Several commenters suggested that the reporting requirements could 
cause audit firms to divert resources away from activities that are 
more focused on audit quality. One commenter suggested that the 
reporting requirements will divert resources from quality engagement 
execution to reporting compliance. Another commenter said that 
resources could be better used for audit execution or quality control 
monitoring and remediation efforts. One commenter said the reporting 
requirements will distract the profession from investments and 
activities that are much more likely to benefit the quality of audits. 
Some commenters asserted that the compilation of financial statements 
will result in a diversion of resources away from audit quality.
    The Board agrees that additional resources will be utilized by 
audit firms to comply with the reporting requirements as noted above. 
Some of the time and effort will be associated with centralized efforts 
to develop systems and implement processes. In addition, any potential 
impact on audit quality will be mitigated to the extent that the 
reporting requirements are implemented by administrative personnel 
rather than audit personnel. Firms will likely relieve some of the 
burden by hiring additional staff, as noted by one commenter. Moreover, 
the Board believes its revisions to the proposal in consideration of 
comments--including exempting firms below a specified threshold from 
confidentially reporting material specified events, adopting phased 
implementation for smaller firms, and refining certain required 
disclosures--will help mitigate the resources required to comply with 
the final reporting requirements.
Alternatives Considered
    The development of the final rule involved considering a number of 
alternative approaches to address the problems described above. This 
section explains: (i) why rulemaking is preferable to other policy 
approaches, such as providing interpretive guidance or enhancing 
inspection or enforcement efforts; (ii) other rulemaking alternatives 
that were considered; and (iii) key policy choices made in determining 
the details of the rulemaking approach.
1. Why Rulemaking is Preferable to Other Policy-Making Approaches
    The Board's policy tools include alternatives to rulemaking, such 
as issuing additional interpretive guidance or an increased focus on 
inspections or enforcement of auditing standards. The Board considered 
whether providing guidance or increasing inspection or enforcement 
efforts would be an effective mechanism to address the information gaps 
in the extant PCAOB reporting framework.
    Interpretive guidance inherently provides additional information 
about existing rules and forms. Encouraging additional disclosure via 
interpretive guidance without amending the forms through rulemaking 
would have been less effective because there would have been no 
mechanism for the disclosure. Moreover, interpretive guidance, as 
opposed to line-item requirements, would have reduced the 
standardization and comparability of the information. Inspection and 
enforcement actions take place after insufficient audit performance 
(and potential investor harm) has occurred. Devoting additional 
resources to interpretive guidance, inspections, or enforcement 
activities, without enhancing the current PCAOB reporting framework 
would not have provided the benefits discussed above associated with 
the required reporting changes.
    One commenter questioned whether adding further definition to the 
existing disclosures could improve the data and comparability among 
firms. However, additional definitions for existing disclosures will 
not provide the public benefit of the additional required disclosures. 
One commenter suggested that a mechanism should be established to allow 
cross-referencing to information in firms' transparency reports where 
appropriate. Another commenter suggested that creating a new regulatory 
regime, without considering whether firms' transparency reports and 
audit quality reports that are already in place could serve as the 
basis for wider application, is likely to create additional cost and 
disruption in the ecosystem for little apparent benefit. The commenter 
suggested that the proposal did not discuss ways to expand or enhance 
what is already done by firms in their transparency reports or audit 
quality reports to meet the expectations of investors about topics 
addressed in the proposal without imposing undue burden on firms. 
However, the additional reporting requirements build on the existing 
reporting regime for Form 2 and Form 3 as a wider application of the 
existing reporting regime rather than creating a new regulatory regime. 
For some required disclosures, firms may be able to adapt content from 
their transparency reports and audit quality reports to comply with the 
additional reporting requirements for Form 2 and Form 3 to help 
alleviate the reporting burden. In addition, the proposal and this 
release describe the benefits of the additional reporting requirements.
    The Board considered enhancing its collection of supplemental 
information through the inspection process, including the collection 
instruments, procedures for collection, and the data storage 
infrastructure. This approach would have yielded benefits to PCAOB 
statutory oversight. However, the approach would have yielded no public 
benefits associated with the enhanced information environment as 
described in a section above. The Board believes more extensive 
disclosures, as explained above, are warranted and will accomplish more 
than what will be accomplished by enhancing existing tools for 
supplemental information.
    Several commenters suggested that the reporting requirements be 
implemented through the PCAOB

[[Page 96783]]

inspection process rather than a reporting rule. One commenter noted 
that the PCAOB's possession of and ability to analyze inspections 
information conveys a public benefit, and the PCAOB uses inspections 
information to provide insights about audit quality through the 
publication of aggregated inspections data. Some commenters noted that 
the inspection process will afford confidentiality protections. Another 
commenter suggested standardizing the manner in which information 
requests are collected to support the inspection process.
    The Board acknowledges the public benefit of PCAOB inspections, and 
the Board does not expect that the reporting requirements, including 
the required disclosures, will curtail the scope of inspections or 
inspections information that is made currently available to the public. 
The Board also notes that the final rule specifies the information that 
will be reported and maintained confidentially. In addition, 
information collected through the inspection process would only be 
available every three years for triennially inspected firms. Moreover, 
implementing the reporting requirements through the confidential 
inspection process will not achieve the additional public benefit of 
making information directly available to audit committees and 
investors.
2. Other Rulemaking Alternatives Considered
    Some commenters suggested that the required disclosures should be 
determined based on interactions between audit firms and audit 
committees. One commenter suggested that the public disclosure of 
firms' operating characteristics should continue to be driven by 
established audit committee oversight. The commenter asserted that many 
firms publish information derived from interactions with audit 
committees. Another commenter suggested that audit committees should be 
the primary recipients of the required disclosures to further enhance 
their oversight responsibilities. The commenter suggested that 
disclosures by audit committees are the primary way that audit 
committees relay their judgments made in discharging their 
responsibilities to oversee company management and the audit firm, and 
that the SEC could take actions to strengthen audit committee 
disclosures if investors believe they do not have sufficient 
information regarding ratification voting. The commenter noted an SEC 
Concept Release that considered strengthening audit committee 
disclosures, and the commenter suggested the SEC Concept Release could 
be revisited as a complementary action.\311\ Another commenter 
suggested that tailored discussions with audit committees is most 
useful to fulfill the audit committees statutory responsibilities.
---------------------------------------------------------------------------

    \311\ See Possible Revisions to Audit Committee Disclosures, SEC 
Rel. No. 33-9862 (July 1, 2015) (``SEC Concept Release'').
---------------------------------------------------------------------------

    The Board expects that interactions between audit firms and audit 
committees will continue to be a key component for oversight of the 
audit firm and that audit committee disclosures will continue to 
provide important information to investors. However, relying on 
voluntary firm disclosures and voluntary audit committee disclosures, 
or providing firm disclosures to audit committees without public 
disclosure, will not empower investors with decision-useful information 
or enhance investors' abilities to monitor the audit committee or make 
informed voting decisions to ratify the audit firm. The proposal and 
this release explain that market forces do not provide audit firms with 
sufficient incentives to develop an efficient and effective system of 
standardized voluntary disclosures and that audit committees may not 
always sufficiently fulfill their responsibilities to investors, even 
if those failures are not pervasive. In addition, a recent analysis of 
audit committee disclosures found that less than half of audit 
committee disclosures that were reviewed for S&P large-cap, mid-cap, 
and small-cap companies included disclosures related to a discussion of 
audit committee considerations in appointing or reappointing the audit 
firm.\312\ Moreover, the SEC Concept Release is consistent with the 
Board's view that investors need more information to: (i) evaluate the 
performance of audit committees and audit firms, (ii) vote for or 
against audit committee members, (iii) ratify the appointment of the 
audit firm, and (iv) invest capital. The Board notes that the relevance 
of the SEC's analysis is limited by the fact that it contemplates 
public disclosure by audit committees rather than audit firms and that 
it aims to solicit feedback rather than provide a cost-benefit 
analysis. In addition, the Board notes that the PCAOB has no direct 
authority over audit committees or the SEC.
---------------------------------------------------------------------------

    \312\ CAQ Barometer Report, at 5.
---------------------------------------------------------------------------

3. Key Policy Choices
    During the development of the final rule, the Board considered 
different approaches to addressing key policy choices.
i. Disclosure versus Confidential Reporting
    The Board considered whether the required reporting should be made 
publicly available or reported confidentially. One commenter 
recommended that the expanded fee information, cybersecurity policies 
and procedures, and certain firm governance and network information 
should receive confidential treatment. For the reasons noted above, the 
Board explicitly allows confidential reporting for financial 
statements, material specified events, and significant cybersecurity 
incidents, but the Board believes public availability of the remaining 
information will promote the best transparency of firms and protection 
of investors while at the same time protecting the confidentiality of 
the firm's information. As noted in the Discussion of the Reporting 
Updates section, the Board intends to analyze the information reported 
in firms' financial statements to better understand whether the 
reporting requirements should be further amended to make some or all of 
the reported financial information public.
ii. Scalability
    Several commenters suggested scaling the reporting requirements to 
help smaller firms and foreign firms manage costs. One firm commenter 
recommended exempting firms with 100 or fewer issuers in a calendar 
year. Another firm commenter suggested exempting firms that are 
registered but do not currently issue opinions or participate in audits 
conducted under PCAOB standards. Another commenter suggested exempting 
smaller firms or a certain subcategory of smaller firms. Another 
commenter asserted that applying the reporting requirements to all 
firms ignores the vast differences in firm portfolios and coverage of 
the capital markets. One commenter suggested making accommodations for 
foreign firms that are registered with the PCAOB. One commenter noted 
that smaller firms are not required to have an EQCF oversight role 
under QC 1000 and that disclosure of whether those firms have an EQCF 
may put the firms at a competitive disadvantage and recommended tiered 
reporting requirements under which smaller firms could provide a 
reduced set of disclosures.
    While the Board has agreed in the proposal and in this release that 
there are disproportionate costs faced by smaller firms and foreign 
firms,

[[Page 96784]]

exempting firms from all reporting requirements based on a size 
threshold, opinions issued, non-U.S. location, or other criteria will 
not achieve the public benefits of standardization and comparability 
that is achieved by required reporting for all PCAOB-registered firms. 
However, the Board has exempted firms below specified thresholds from 
confidentially reporting financial statements and material specified 
events to save those firms the costs associated with reporting. In 
addition, the Board has adopted phased implementation to give smaller 
firms more time to develop and implement the necessary tools to comply 
with the requirements. Moreover, the Board has refined the required 
disclosures in response to comments on the proposal, such as reducing 
information required for fees and governance, to reduce costs and ease 
implementation burden. Finally, as explained in the Discussion of the 
Reporting Updates section, the reporting requirement for the EQCF 
oversight role will permit sufficient narrative disclosure for a firm 
to provide context. With sufficient narrative disclosure, the Board 
does not believe that exempting firms from the EQCF oversight role 
under QC 1000 will put firms at a competitive disadvantage.
iii. Principles-Based Reporting
    Several commenters suggested that the reporting requirements should 
be more principles-based. Some commenters suggested that the reporting 
requirements be designed similar to the principles-based transparency 
reporting requirements adopted by the European Union's Eighth 
Directive. The commenters suggested principles-based reporting could 
provide similar benefits at lower cost. One of the commenters asserted 
that the usage of standardized disclosures is based on assumptions and 
understates the variation in reporting that will occur because of the 
variation in how firms are structured and organized. Another commenter 
suggested that principle-based reporting fully aligns with the specific 
ACAP recommendations. Another commenter suggested that principles-based 
reporting allows firms to report in a way that will give more valuable 
insight into the unique qualities of each firm.
    The proposal and this release explain the market failures that lead 
to insufficient voluntary reporting, including principles-based 
transparency reports and audit quality reports that are voluntarily 
provided by firms. In addition, while the Board expects that the 
content of the required disclosures will vary across audit firms based 
on unique qualities of each firm, principles-based reporting will not 
achieve the same public benefits of standardization and comparability 
achieved by the required disclosures. Moreover, the usage of 
standardized disclosures is not based on assumptions but is based in 
part on stakeholder feedback, including investor-related groups, prior 
to the proposal and in public comments responding to the proposal.
iv. Changing Form 2 Reporting Deadline
    The Board considered revising the Form 2 reporting period (April 1 
through March 31) and filing deadline (June 30) to align with the 
reporting period for Form FM (October 1 through September 30) and 
filing deadline (November 30) in order to have a single firm-level 
reporting period and filing deadline. This approach could benefit some 
Form 2 users because the firm-level metrics would have all been 
prepared for the same period and therefore the synergies between the 
two sets of metrics may be increased. It may also benefit firms to 
prepare all firm-level metrics for the same reporting period. However, 
the Board considered that firms may also have existing systems in place 
to prepare and report existing Form 2 information for the current Form 
2 reporting period, and altering those systems may incur costs. 
Moreover, the current period allows firms 90 days following the end of 
the reporting period to file Form 2, while the filing deadline for Form 
FM is 61 days following the end of the reporting period. Thus, the 
change would have represented an acceleration of the filing deadline, 
which may also increase firms' costs.
v. Alternative Reporting Requirements
a. Financial Information
    Some commenters suggested that the required disclosures regarding 
disaggregation of fees should be limited to fees from audit and non-
audit services provided to issuers and broker-dealers. As explained in 
the Discussion of the Reporting Updates section, the final rule 
streamlines the fee disclosure requirements as compared to the proposal 
by, for example, eliminating the proposed requirement to provide 
disaggregated data for audit services billed to non-issuers and non-
broker-dealers and the proposed requirement to report fees billed to 
all clients for each of the four fee categories. One commenter asserted 
that actual fee amounts should remain confidential proprietary 
information and that fees should be disclosed as percentages. However, 
the Board continues to believe that actual fee amounts will increase 
the usefulness of fee reporting as discussed in the Discussion of the 
Reporting Updates section. In addition, requiring actual fee amounts, 
rather than percentages, will decrease potential inconsistencies due to 
varying methodologies used to calculate percentages. One commenter 
suggested that audit fees for issuers are currently available to 
investors on a company-specific basis through SEC disclosures. However, 
the SEC disclosures enable comparisons of audit fees paid by issuers 
but do not enable comparisons of audit fees received by audit firms 
without costly efforts by investors to actually compile the 
information.
    The Board considered whether the confidential provision of 
financial statements should be required for all firms or just the 
largest firms. One commenter suggested the threshold for firms to 
report financial statements should be 500 audit reports with no 
criterion for number of personnel. The Board limited the requirement 
for financial statements to firms with more than 200 reports issued for 
issuer audit clients and more than 1,000 personnel because of the role 
those firms play in the audit market and the value of having their 
financial statements available for the Board's immediate use under 
certain circumstances, such as staff observing detectable unexplained 
changes in a firm's financial health.
    Investor-related groups suggested financial statements should be 
audited and publicly available. Some commenters affirmed the financial 
statements should be confidentially reported or expressed concern that 
there could be avenues through which the financial statements become 
publicly available. The Board has decided to maintain confidential 
reporting of unaudited financial statements because, as noted in the 
Discussion of the Reporting Updates section, the Board does not have 
sufficient information regarding how financial statements would serve 
the public, and the PCAOB staff is well-positioned to understand any 
limitations that a lack of reasonable assurance implies. In addition, 
the PCAOB will use data storage and security protocols for financial 
statements that are used for other confidential data. One commenter 
suggested that in lieu of compiling financial statements in accordance 
with an applicable financial reporting framework, PCAOB inspectors 
could collect key standardized financial metrics through the annual 
data request and firms could provide financial statements prepared in 
accordance with their preferred basis. Several

[[Page 96785]]

commenters suggested that firms should be permitted to provide 
financial statements in accordance with a basis that firms maintain to 
manage their businesses. As noted above, the Board has revised the 
requirement for financial statements to be compiled in accordance with 
an accrual basis of accounting, rather than an applicable financial 
reporting framework, while clarifying the requirement to delineate 
revenue and operating income by service line.
b. Governance Information
    One commenter recommended allowing firms to incorporate by 
reference the applicable governance disclosures from their transparency 
reports to streamline duplicative reporting requirements and reduce 
costs. While audit firms that compile transparency reports will be able 
to choose to leverage duplicative information from their transparency 
reports as a way to reduce costs, all audit firms will be required to 
report a complete set of required disclosures in order to achieve the 
public benefit of standardization and comparability across firms. 
Another commenter suggested that a firm applying QC 1000 could consider 
whether its structure impacts the firm's assessment of quality risks 
and accordingly design appropriate quality responses and communicate 
the strategy and key judgments in the firm's audit quality report or 
transparency report. However, investors will not be privy to a firm's 
assessment of quality risks except to the extent that the assessment is 
voluntarily reported, and most firms do not compile audit quality 
reports or transparency reports. Another commenter suggested that the 
governance disclosures could be streamlined to describe a firm's 
general governance structure without requiring some of the more 
prescriptive disclosures that could be more relevant to some firms than 
others. The Board agrees that the relevance and specified descriptions 
of governance structures may vary across firms. However, a general 
description of a firm's governance structure will not achieve the 
public benefits of the standardized and comparable specified 
disclosures.
c. Network Information
    One commenter suggested revising the required network disclosures 
to focus on matters related to audit quality, such as audit 
methodology, staff training, and quality control rather than focusing 
on financial strength of the network. Some commenters recommended 
permitting firms to report network-related financial obligations 
confidentially because disclosure could put some firms and networks at 
a competitive disadvantage. One commenter explained that network 
structures vary widely and are not a significant factor in smaller 
firms' provision of audit services to issuers or broker-dealers and 
suggested that the required network disclosures apply only to larger 
firms that perform a significant number of multinational audit 
engagements.
    As discussed in the Discussion of the Reporting Updates section, 
the Board has modified the requirement for network disclosures to focus 
on the registered firm and the aspects of its relationship with the 
network that most directly relate to the firm's conduct of audits, 
including access to audit methodologies and training materials, instead 
of asking for network-related financial obligations and other aspects 
of the network relationship. While the Board expects network structures 
to vary across firms, especially firms of different sizes, exempting 
firms based on a size threshold will not achieve the public benefits of 
standardization and comparability that is achieved by required 
reporting for all PCAOB-registered firms.
d. Special Reporting
    Some commenters suggested that the trigger for the material 
specified event timeline should be when an event occurs because a 
threshold of ``substantially likely'' is judgmental. Some commenters 
suggested that the trigger should be the date on which the firm 
determined the event to be material. As discussed in the Discussion of 
the Reporting Updates section, the final rule removes proposed language 
related to planned or anticipated events and restricts reporting to 
events that have occurred. In addition, the reporting period for 
material specified events will begin upon the determination that the 
event is material in light of the shorter reporting timeframe for 
material specified events.
e. Cybersecurity Information
    Several firm commenters suggested alternative reporting 
requirements for significant cybersecurity incidents and cybersecurity 
policies and procedures. One commenter suggested focusing on the 
impacts of a cybersecurity incident rather than requiring details 
regarding the cybersecurity incident, considering concerns about 
disclosing details that could exacerbate security threats. However, 
cybersecurity incidents will be confidentially reported rather than 
publicly disclosed. Another commenter suggested bifurcating reporting 
into: (i) mandatory confidential reporting for incidents that have 
actually occurred and could impact the provision of audit services or 
compromise client information and (ii) voluntary reporting for other 
types of incidents so that PCAOB could assist firms by issuing alerts 
to all firms. However, a voluntary system for reporting other incidents 
and issuing alerts is an alternative that can be enacted without 
rulemaking.
    Two commenters recommended requiring reporting of significant 
cybersecurity incidents only when an incident impacts a firm's ability 
to audit public companies or SEC-registered broker-dealers. The Board 
notes the likelihood that the magnitude of the specified criteria that 
define a significant cybersecurity incident at a firm as explained in 
the Discussion of the Reporting Updates section--i.e., significantly 
disrupted or degraded the firm's operations critical to the functioning 
of the audit practice or those that have led to unauthorized access to 
the electronic information . . . of the firm in a way that has resulted 
in substantial harm to the audit firm's critical audit-related 
operations--could impact a firm's direct or indirect ability to audit 
public companies or SEC-registered broker-dealers, which renders the 
specified criteria equivalent to the recommended criterion.
    One commenter recommended aligning the significant cybersecurity 
incident reporting requirement with existing industry or federal 
guidelines, such as the Federal Information Security Modernization Act, 
and permitting delayed reporting at the request of federal law 
enforcement. While the Board agrees other cybersecurity incident 
reporting frameworks may impose additional reporting requirements on 
audit firms, the PCAOB reporting requirements are designed specifically 
with the protection of investors and the public in mind for the 
provision of public company audits by PCAOB-registered audit firms, so 
any additional PCAOB reporting requirements will supplement any gaps in 
other reporting frameworks. Likewise, delaying reporting to PCAOB at 
the request of federal law enforcement should be determined based on 
whether the requested delay includes confidential reporting to 
regulators.
Special Considerations for Audits of Emerging Growth Companies
    Section 104 of the Jumpstart Our Business Startups (``JOBS'') Act 
imposes certain limitations to the application of the Board's standards 
to audits of Emerging Growth Companies (``EGCs''), as defined in 
Section 3(a)(80) of the

[[Page 96786]]

Exchange Act. Under Section 104, the JOBS Act provides that any rules 
adopted by the Board subsequent to April 5, 2012, shall not apply to 
the audits of EGCs unless the SEC ``determines that the application of 
such additional requirements is necessary or appropriate in the public 
interest, after considering the protection of investors, and whether 
the action will promote efficiency, competition, and capital 
formation.'' \313\ As a result, the final rules are subject to a 
separate determination by the SEC regarding their applicability to 
audits of EGCs.\314\
---------------------------------------------------------------------------

    \313\ See Public Law 112-106 (Apr. 5, 2012). Section 
103(a)(3)(C) of Sarbanes-Oxley, as added by Section 104 of the JOBS 
Act, also provides that any rules of the Board requiring (i) 
mandatory firm rotation or (ii) a supplement to the auditor's report 
in which the auditor would be required to provide additional 
information about the audit and the financial statements of the 
issuer (auditor discussion and analysis) shall not apply to an audit 
of an EGC. The Firm Reporting rule does not fall within either of 
these two categories.
    \314\ The Firm Reporting rule does not impose any additional 
requirements on EGC audits. Nevertheless, the Board has provided 
this analysis of the impact on EGCs to assist the SEC in making the 
determination required under Section 104 to the extent that the 
requirements apply to ``the audit of any emerging growth company'' 
within the meaning of Section 104 of the JOBS Act.
---------------------------------------------------------------------------

    To inform consideration of PCAOB standards and rules to audits of 
EGCs, PCAOB staff prepares a white paper annually that provides general 
information about characteristics of EGCs.\315\ As of the November 15, 
2022 measurement date, PCAOB staff identified 3,031 companies that 
self-identified as EGCs and filed audited financial statements with the 
SEC between May 16, 2021, and November 15, 2022, that included an audit 
report signed by a firm.\316\
---------------------------------------------------------------------------

    \315\ See PCAOB, White Paper on Characteristics of Emerging 
Growth Companies and Their Audit Firms at November 15, 2022 (Feb. 
20, 2024) (``EGC White Paper''), available at https://pcaobus.org/resources/other-research-projects.
    \316\ The EGC White Paper uses a lagging 18-month window to 
identify companies as EGCs.Please refer to the ``Current 
Methodology'' section in the EGC White Paper for details.Using an 
18-month window enables staff to analyze the characteristics of a 
fuller population in the EGC White Paper but may tend to result in a 
larger number of EGCs being included for purposes of the present EGC 
analysis than would alternative methodologies. For example, an 
estimate using a lagging 12-month window would exclude some EGCs 
that are delinquent in making periodic filings.An estimate as of the 
measurement date would exclude EGCs that have terminated their 
registration or that have exceeded the eligibility or time limits.
---------------------------------------------------------------------------

    In general, any new PCAOB rules determined not to apply to audits 
of EGCs would require audit firms to address differing requirements 
with respect to audits of EGCs and non-EGCs.\317\ This is not practical 
in the context of the Firm Reporting rule because the required 
disclosures and confidential reporting are firm-wide and will not be 
differentiable for different types of audits.
---------------------------------------------------------------------------

    \317\ See EGC White Paper, at 17. Based on staff analysis as of 
the November 15, 2022 measurement date, 86 percent of the 263 firms 
that issued audit reports for EGCs performed audits for both EGC and 
non-EGC issuers while 14 percent performed issuer audits only for 
EGCs.
---------------------------------------------------------------------------

    The discussion of the economic impacts of the final rule above is 
generally applicable to all audits performed pursuant to PCAOB 
standards, including audits of EGCs. The required disclosures may 
impact the audit market for EGCs more than the audit market for non-
EGCs to the extent EGCs are more likely to be audited by smaller 
firms.\318\ As discussed above, smaller firms may incur higher costs 
per issuer because smaller firms do not experience economies of scale 
associated with information production and dissemination. However, the 
Board also expects the benefits of enhanced selection and monitoring to 
be higher for smaller firms to the extent that smaller firms currently 
provide fewer and less informative disclosures. Therefore, all else 
equal, both the benefits and costs of the reporting requirements may be 
higher for the EGC audit market than for the non-EGC audit market.
---------------------------------------------------------------------------

    \318\ PCAOB staff analysis indicates that, compared to exchange-
listed non-EGCs, exchange-listed EGCs are approximately 2.6 times as 
likely to be audited by an NAF and approximately 1.3 times as likely 
to be audited by a triennially inspected firm. Source: EGC White 
Paper and S&P.
---------------------------------------------------------------------------

    The benefits linked to financial reporting quality, as articulated 
above, may be especially relevant to EGCs. EGCs are more likely to be 
newer companies, which are typically smaller in size,\319\ receive less 
analyst coverage, and have a shorter SEC financial reporting history 
than the broader population of public companies. The required 
disclosures are expected to enhance transparency of firms in the EGC 
audit market and contribute to an increase in the credibility of 
financial reporting by EGCs. To the extent that the Firm Reporting rule 
improves EGCs' financial reporting quality, the rule may also improve 
the efficiency of capital allocation, enhance capital formation, and 
lower the cost of capital. For example, investors may improve their 
capital allocation by reallocating capital toward EGCs with the 
strongest prospects for generating future risk-adjusted returns. 
Investors may also perceive less risk in the EGC capital markets 
generally, leading to an increase in the supply of capital to EGCs. 
This may increase capital formation and reduce the cost of capital to 
EGCs. The required disclosures could reduce competition in an EGC's 
product market if the indirect costs to audited companies 
disproportionately impact EGCs relative to their competitors.
---------------------------------------------------------------------------

    \319\ See EGC White Paper, at Figure 9 and Figure 12 (indicating 
that exchange-listed EGCs have lower market capitalization and 
revenue than exchange-listed non-EGCs).
---------------------------------------------------------------------------

    One commenter suggested that requiring disclosures by firms that 
audit EGCs could impact the ability of EGCs to find auditors at a 
reasonable cost to be able to participate in capital markets. As noted 
above, the Board believes that the required disclosures could have a 
disproportionately higher cost impact for smaller companies and new 
public companies that are more likely to use smaller audit firms. The 
Board also notes above that investors in those smaller companies could 
accrue benefits from the required disclosures. In addition, as noted in 
the proposal and in this section, both benefits and costs of the 
required disclosures may be higher for the EGC audit market than for 
the non-EGC audit market.
    Accordingly, and for the reasons explained above, the Board will 
request that the SEC determine that it is necessary or appropriate in 
the public interest, after considering the protection of investors and 
whether the action will promote efficiency, competition, and capital 
formation, to apply the Firm Reporting rule and any related amendments 
to firms that audit EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) as the Commission may 
designate up to 90 days of such date if it finds such longer period to 
be appropriate and publishes its reasons for so finding or (ii) as to 
which the Board consents, the Commission will:
    (A) By order approve or disapprove such proposed rules; or
    (B) Institute proceedings to determine whether the proposed rules 
should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed 
rules are consistent with the requirements of Title I of the Act. 
Comments may be submitted by any of the following methods:

[[Page 96787]]

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
     Send an email to [email protected]. Please include 
PCAOB-2024-07 on the subject line.

Paper Comments

     Send paper comments in triplicate to Vanessa A. 
Countryman, Secretary, Securities and Exchange Commission, 100 F Street 
NE, Washington, DC 20549-1090.

All submissions should refer to PCAOB-2024-07. This file number should 
be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method. The Commission will post all comments on the 
Commission's internet website (https://www.sec.gov/rules/pcaob). Copies 
of the submission, all subsequent amendments, all written statements 
with respect to the proposed rules that are filed with the Commission, 
and all written communications relating to the proposed rules between 
the Commission and any person, other than those that may be withheld 
from the public in accordance with the provisions of 5 U.S.C. 552, will 
be available for website viewing and printing in the Commission's 
Public Reference Room, 100 F Street NE, Washington, DC 20549, on 
official business days between the hours of 10 a.m. and 3 p.m. Copies 
of such filing will also be available for inspection and copying at the 
principal office of the PCAOB. Do not include personal identifiable 
information in submissions; you should submit only information that you 
wish to make available publicly. You may redact in part or withhold 
entirely from publication submitted material that is obscene or subject 
to copyright protection. All submissions should refer to PCAOB-2024-07 
and should be submitted on or before December 26, 2024.

    For the Commission, by the Office of the Chief Accountant.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2024-28148 Filed 12-4-24; 8:45 am]
BILLING CODE 8011-01-P