The Public Company Accounting Oversight Board and the Securities and Exchange Commission ramped up enforcement against auditors in the first half of 2024, but activity was more muted in the second half of the year, due to a key Supreme Court decision and multiple lawsuits against the PCAOB, according to a new report.

The report, from the Brattle Group, found that the PCAOB and SEC together brought 58 enforcement actions against auditors in 2024, in line with 2023 (60) and 2022 (59) levels, but more than 50% higher than the average number of initiated actions during the regulators’ prior administrations (2018–2021) until Erica Williams took over as chair of the PCAOB and Gary Gensler became chair of the SEC. However, Gensler stepped down on Inauguration Day after Donald Trump announced he would be naming former SEC commissioner Paul Atkins as the next SEC chair. Last June, after the Supreme Court issued its ruling in the case of SEC v. Jarkesy restricting the use of administrative law judges, the SEC dropped most of its pending cases against auditors. While aggregate enforcement activity remained elevated in 2024, the SEC only initiated seven actions against auditors in 2024, down 50% from 2023. In the Jarkesy case, the Supreme Court ruled that the SEC’s use of administrative proceedings to seek financial civil penalties in a securities fraud suit was unconstitutional.

Together, the PCAOB and SEC imposed $52.2 million in monetary sanctions against auditors in 2024, an increase of 66% from 2023 and 2.5 times higher than the 2018–2021 average, when Jay Clayton was leading the SEC and William Duhnke was chairing the PCAOB.

2024 enforcement was driven mainly by the PCAOB, which brought 88% of total actions and imposed 68% of total penalties.

The Supreme Court ruling appears to have affected the PCAOB, as well as three similar but anonymous lawsuits filed under the pseudonym John Doe from two individual auditors facing disciplinary action from the PCAOB and one auditing firm under investigation. While the PCAOB imposed record-breaking penalties for the third year in a row, enforcement statistics saw an unprecedented decline in the second half of the year. An uncharacteristically low 33% of the 51 actions initiated by the PCAOB in 2024 were brought in the second half of 2024, a departure from the 76–86% in the second half of each of the previous four years. Only 2% of the penalties imposed by the PCAOB in 2024 were imposed in the second half of the year, in stark contrast with 2023, when 83% of total penalties were imposed in the second half of the year. PCAOB activity in the second half of the year was at its lowest levels of any point in recent years.

“Though PCAOB and SEC enforcement against auditors remained high in 2024, aggregate statistics don’t tell the full story,” said Alison Forman, co-leader of Brattle’s Accounting Practice, in a statement Thursday. “In fact, activity appears to have been substantially impacted by the Supreme Court’s SEC vs. Jarkesy ruling, which found that the regulator’s use of administrative proceedings to seek financial civil penalties for securities fraud was unconstitutional. We expect fallout from Jarkesy and similar constitutional challenges facing the PCAOB — as well as the new presidential administration — to dramatically shift the enforcement landscape moving forward.”

The findings on the PCAOB mostly align with a report released last week by Cornerstone Research, which found the PCAOB increased its enforcement activity in 2024 to its highest level since 2017, and monetary penalties levied by the PCAOB reached their highest for the third consecutive year. The Cornerstone report found the PCAOB publicly disclosed 51 total enforcement actions, including 40 actions involving the performance of an audit. Most of these actions came in the first half of the year, with only 10 auditing actions finalized after the Supreme Court ruled against the use of administrative law judges in SEC v. Jarkesy. At $35.7 million, the number of total monetary penalties in 2024 marked a 78% increase over 2023 and represented nearly 40% of all monetary penalties imposed since the PCAOB’s inception.

The release of the two reports come amid speculation that under the Trump administration, enforcement and penalties at both the PCAOB and the SEC may decline further, and the PCAOB may even be absorbed into the SEC, despite the Sarbanes-Oxley Act of 2002 that created the PCAOB. A change in the composition of the board members is also likely, as the PCAOB underwent sharp changes in both the first Trump administration and the Biden administration.

Ukraine, Iraq, Haiti and Bangladesh have been added to countries for tax year 2024 for which some requirements have been waived concerning foreign earned income exclusions.

Generally, U.S. citizens or resident aliens living and working abroad whose tax home is in a foreign country, and who meet either a bona fide residence test or a physical presence test, can choose to exclude from their income up to $126,500 for 2024 of their foreign earned income. Both the bona fide residence test and the physical presence test contain minimum time requirements.

The Internal Revenue Code defines the term “qualified individual” in regard to these taxpayers as either:

• An individual whose tax home is in a foreign country and who is a U.S. citizen and establishes that they have been a bona fide resident of a foreign country or countries for an uninterrupted period that includes an entire taxable year; or,
• A citizen or resident of the U.S. who during any 12 consecutive months is in a foreign country or countries during at least 330 full days. 

Rev. Proc. 2025-17 provides a waiver for the time requirements for individuals electing to exclude their foreign earned income who must leave a foreign country because of war, civil unrest or similar adverse conditions in that country.

The Secretary of the Treasury and the Secretary of State have determined that such conditions precluded the normal conduct of business and affected taxpayers who left the Ukraine on or after Jan. 13, 2024; Iraq on or after Jan. 18, 2024; Haiti on or after Jan. 23, 2024; and Bangladesh on or after Aug. 5, 2024.

For example, an individual who left Ukraine on or after Jan. 13, 2024, will be treated as a qualified individual with respect to the period during which that individual was a bona fide resident of, or was present in, Ukraine if the individual establishes a reasonable expectation that he or she would have met the requirements of Section 911(d) but for those conditions.

The revenue procedure is scheduled for publication in the Internal Revenue Bulletin on March 24.

The Institute of Internal Auditors has released a draft version of proposed requirements on third-party governance, risk management and control processes to include in audit plans.

The IIA is asking for feedback on the document, Third-Party Topical Requirement, which will be open for public comment until April 20. Internal auditors and stakeholders can participate in the public comment survey to share their input on the draft and help shape the criteria and requirements for providing assurance on governance, risk management, and control processes related to third parties.

The Topical Requirements are part of the IIA’s broader International Professional Practices Framework alongside its Global Internal Audit Standards and Global Guidance. They don’t mandate that a specific risk area be included in audit plans, but provide practitioners with a set of baseline requirements for assessing key risk areas that impact organizations globally and are likely to be included in most audit plans. 

The document was developed with input from internal audit practitioners and stakeholders globally, and offers a consistent and comprehensive approach to assessing the design and implementation of third-party governance, risk management, and control processes.

“We’ve developed a Topical Requirement on third-party relationships due to the pervasiveness of third-party risks for organizations today,” said IIA CEO Anthony Pugliese in a statement Thursday. “Particularly in light of geopolitical shifts that are driving global trade and supply chain disruptions, third-party relationships can present a number of threats to organizations including operational, reputational and compliance risks. It’s more important than ever that organizations today have a robust and consistent approach to assessing third-party risk management and control processes.” 

The first Topical Requirement was released in February and provided requirements for internal auditors providing assurance on cybersecurity governance, risk management and control processes. More topics are under development, including business culture, business resilience, and anti-corruption and bribery.

Participants can review the draft Third-Party Topical Requirement in English and submit their feedback between March 6 – April 20 through the survey. Both the draft and the survey are available in different languages. The Third-Party Topical Requirement is also accompanied by a user guide that offers supplementary considerations. All the documents are available at www.theiia.org/comment.