Monday, January 10, 2011

PCAOB Enters Agreement with U.K. Regulator to Share Auditor Information

PCAOB Enters Agreement with U.K. Regulator to Share Auditor Information
The Public Company Accounting Oversight Board (PCAOB) has entered into a statement of protocol with the U.K. Professional Oversight Board (POB) to share information regarding auditors that practice in both the U.S. and U.K. The protocol is a step towards resumption by the PCAOB of inspections of U.K. auditors for the first time since 2008.

The protocol also is the first cooperative agreement entered under the PCAOB's new authority to work with foreign regulators under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Dodd-Frank Act Section 981 updated the Sarbanes-Oxley Act to allow the PCAOB to share information with its foreign counterparts. Specifically, the PCAOB may share all information listed in SOX Section 105(b)(5)(A) related to a public accounting firm that is subject to the inspection of a foreign auditor oversight authority. "Foreign auditor oversight authority" means any governmental body or other entity empowered by a foreign government to conduct inspections of public accounting firms or otherwise to administer or enforce laws related to the regulation of public accounting firms. Section 929J of the Dodd-Frank Act also gives the PCAOB authority to access audit work papers and other documents of foreign auditors who perform material services relied upon by a registered public accounting firm in conducting an audit.

The protocol states that its purpose is to "facilitate cooperation" between the PCAOB and the POB in the oversight, inspection, and investigation of firms within both regulators' jurisdiction, subject to applicable national laws (Article I, 2). Article III establishes the scope of PCAOB-POB cooperation. Cooperation may include the sharing of information that relates to firms within the jurisdiction of the PCAOB and the POB. Information must be used by PCAOB and POB according to the requirements of the Sarbanes-Oxley Act and the U.K. Companies Act 2006, respectively (Article III, A.,1). "Information" means public and nonpublic information including, but not limited to, reports on the outcome of inspections, and audit working papers or other documents, if the reports or documents relate to firms or matters within PCAOB-POB jurisdiction (Article II).

The protocol also allows one regulator to assist the other in an inspection or investigation. The protocol contemplates a wide range of permitted activities, including facilitating access to information, and/or (if requested) reviewing audit work papers or other documents, interviewing firm personnel, and reviewing firm quality controls and/or other testing of firm audit, supervisory, and quality controls (Article III, A, 2). However, a requesting party may not ask for assistance or information that is disallowed under its own laws (Article III, A, 3). But PCAOB and POB may exchange inspection guides (Article III, A, 5).

The term "inspections" means a review of firms to assess the degree of compliance of the firm and its associated persons with the laws, rules, and professional standards for audits, the issuance of audit reports, and related matters. "Investigations" means investigations by the PCAOB or POB of any act or practice, or omission to act, by a firm or associated person that may violate any laws, rules, or professional standards (Article II). Requests for information must be in writing and comply with the requirements of Article III, B.

Confidentiality was a key issue for Congress in drafting PCAOB's new authorities. Under Section 981, the PCAOB may provide information to a foreign regulator, without the information losing its status as confidential and privileged, if among other things, the foreign auditor oversight authority provides to the PCAOB any requested assurance of confidentiality, a description of the foreign authority’s information systems and controls, and a description of the relevant laws and regulations of the foreign government that apply to information access. The Senate committee report observed:

The Committee believes that the Board could accept an assurance of confidentiality as adequate even in circumstances where the foreign auditor oversight authority could disclose the information to relevant law enforcement or regulatory authorities in its jurisdiction, so long as any such authorities are also committed and able to comply with confidentiality limitations comparable to those that apply to the U.S. and state entities with which the Board shares information under Section 105(b)(5)(B) of the Act (S. Rep. No. 111-176, p. 152–153).

Article IV of the protocol deals with the confidentiality of nonpublic information, personal data, and professional secrets. Specifically, a requesting party must establish necessary and appropriate safeguards, including secure storage for information not in use. A requesting party must provide the other party with a description of its information systems and controls, and of the applicable laws and regulations that limit access to nonpublic information. The requesting party must inform the other party of any changes to its safeguards, systems, laws, or regulations that would weaken confidentiality.

The requirement of confidentiality extends to persons who are or have been employed by, associated with, or involved in governing the PCAOB or the POB. Access to nonpublic information must be restricted to persons or entities that are independent of the auditing profession, meaning those individuals or firms that are not practicing auditors or affiliated with an audit firm. Public inspection reports may be issued under the applicable national laws. However, notice must be given by one party to the other before publicly announcing sanctions imposed on an auditor or audit firm located in and subject to the other party's jurisdiction. Additional rules govern the sharing of nonpublic information with third-parties. Article V states that the transfer of personal data is subject to arrangements which provide adequate levels of protection for data subjects in the processing of personal data.

The protocol became effective upon signature on January 10, 2011, and is set to expire on July 31, 2013.

This post was provided by Mark S. Nelson, Legal Analyst, Federal Securities Products, Wolters Kluwer Law & Business.