Below is some news from Shas Das of Hunton & Williams. Shas recently joined Hunton from the PCAOB, most recently serving as an Associate Director in the PCAOB’s Office of International Affairs, where he negotiated bilateral agreements providing for cross-border inspections with Germany, Denmark, Greece. He also served as the PCAOB’s chief liaison with the Chinese regulatory authorities for five years. Recently, Shas was reading through some PCAOB releases and noticed some fine print in the EU’s recent adequacy directive that suggests the EU would like to move away from joint inspections with the PCAOB in favor of US authorities recognizing the work of their European counterparts:
Two weeks ago, the PCAOB issued a “Staff Inspection Brief” outlining the scope, focus, and objectives of its ongoing 2016 inspections of auditors of public companies. While the inspection brief addressed topics ranging from recurring or common audit deficiencies found during previous inspections cycles (including auditing internal control over financial reporting, assessing and responding to risks of material misstatement, auditing accounting estimates), to cybersecurity risks, the document conspicuously avoids any reference to the fact that on that very same day, the European Commission renewed the PCAOB’s adequacy decision for an additional six years (until 2022), thereby allowing the PCAOB continued access to the audit work papers of its EU counterparts, but notably, unlike previous EU Directives, it provides that joint inspections will only be conducted in “exceptional circumstances.”
With limited exception, the PCAOB conducts its inspections of registered audit firms based overseas jointly with the home country regulator; in other words, the PCAOB will obtain access to audit work papers and relevant audit firm personnel in coordination with its EU counterparts – and, in most if not all cases, will share its inspections findings with its EU audit regulator counterpart. Typically, such inspections are facilitated through the execution of Statement of Protocols with the EU audit oversight authority in the jurisdiction where the audited firm registered with the PCAOB is located – these SOPs govern how the inspection will be conducted and generally reflect the product of extensive negotiations, balancing the importance of the PCAOB’s need to conduct its inspections in a manner that enables it to achieve its audit oversight objectives pursuant to Section 104 of Sarbanes-Oxley with the local law of the EU member state. The last such agreement negotiated by the PCAOB with any foreign regulator (EU or otherwise) was executed in September 2015 (with Luxembourg).
Before any EU member state or audit authority can transfer audit work papers to a foreign authority, under applicable EU law, the foreign authority must be deemed “adequate.” The term “adequacy” refers to the ability of a third country authority to fulfill the requirements set out in the EU’s Statutory Audit Directive (2006/43/EC) and, in particular, its capacity to enter into reciprocal working arrangements with the EU Member States with regard to the exchange of audit working papers or other relevant documents between competent authorities. This also covers the preservation of the confidentiality of any such documents that authorities from third countries may receive from EU Member States.
Notably, the EU’s recently issued adequacy decision that relates to the PCAOB provides for the following:
“(17) The ultimate objective of cooperation on audit oversight between Member States’ competent authorities and the competent authorities of the United States is to reach mutual reliance on each other’s oversight systems. In that way, transfers of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports should become the exception. Mutual reliance would be based on the equivalence of auditor oversight systems of the Union and of the United States [emphasis added].
(18) The competent authorities of the United States intend to further evaluate the auditor oversight systems in the Member States before deciding to fully rely on the oversight performed by their competent authorities. Therefore, the mechanism of cooperation between the competent authorities of the Member States and the competent authorities of the United States should be reviewed to assess the progress made towards reaching mutual reliance on each other’s oversight systems. For that reason, this Decision should be applicable for a limited period of time.
(19) Notwithstanding the time limitation, the Commission will monitor developments in the supervisory and regulatory cooperation on a regular basis. This Decision will be reviewed as appropriate in light of the supervisory and regulatory changes in the Union and in the United States, taking into account available sources of relevant information. That review may lead to the withdrawal of the declaration of adequacy [emphasis added].”
The EU has previously adopted decisions recognizing the adequacy of the auditor oversight systems in Canada, Japan, Switzerland, and most recently Brazil, the Dubai International Financial Centre, Guernsey, Indonesia, the Isle of Man, Jersey, Malaysia, South Africa, South Korea, Taiwan, and Thailand. In addition to the aforementioned countries, the EU has declared auditor public oversight systems in the following jurisdictions to be “equivalent” to the EU Member States’ auditor public oversight systems, thus allowing EU members states to exempt the auditors and audit firms located in these jurisdictions from the requirements to be registered and subject to EU oversight: Australia, Canada, China, Croatia, Japan, Singapore, South Africa, South Korea and Switzerland. Though the US audit oversight system has also been deemed equivalent with the EU audit oversight system, this decision has been time-limited due to the fact that the US has not, in the past, fully supported the goal of reaching mutual, full reliance. Nevertheless, in keeping with the latest extension of the adequacy decision for six years, it now appears that the PCAOB (with the SEC’s concurrence) has determined to proceed along a path of full, mutual reliance that may result in very few joint inspections conducted by the PCAOB in the EU during the coming years – raising questions about the continued efficacy of the PCAOB’s international inspections program.
The PCAOB has bilateral cooperation agreements with 22 foreign audit regulators, of which 13 are located in Europe (including Norway and Switzerland). The ramifications of the EU’s renewal of the adequacy decision, and more specifically the severe limitations placed on the PCAOB’s access to audit work papers and ability to conduct joint inspections, could have far reaching effects and negatively impact the PCAOB’s long-standing negotiations with the Chinese regulators regarding access to sensitive audit work papers of Chinese companies listed in the U.S.
It will be interesting to see how the Chinese regulators and audit firms view the new terms of engagement between the PCAOB and the EU on cross-border inspections, particularly when taking into account references in the EU’s adequacy decision that “cooperation should always take place under the conditions set out in Article 47(2) of Directive 2006/43/EC and in this Decision, in particular as regards the need to respect sovereignty, confidentiality and reciprocity [see paragraph 11 of the EU’s Adequacy Decision].”
More on “The Mentor Blog”
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Directors Survey: Internal Audit Makes The Grade
– Compliance: Increased Regulation Cited as #1 Challenge
– Corporate Human Rights Benchmark Launched
– IT/Cyber Oversight: Guidance for Directors
– Standalone Board Risk Committee Considerations
– Broc Romanek