The US Sarbanes-Oxley Act established, amongst other things, the PCAOB. The PCAOB regulates the audits of companies with securities listed in the United States of America.
Registration with the PCAOB
In 2003, the PCAOB finalised a set of rules requiring registration with it of firms that audit US listed companies. Audit firms outside the US that audit entities with a primary or secondary listing in the US, or a significant subsidiary thereof, need to register with the PCAOB. This involves completing an initial form, with an annual update and fee. For UK and many other auditors, the initial registration needs to be accompanied by a legal opinion confirming that certain information and consents may not be supplied to the PCAOB. However, this opinion does not need to be updated annually unless there is reason to believe the law has changed
Scope of the PCAOB
The PCAOB mainly covers US audit firms. However, it also covers non-US firms that:
- have clients with shares (including ADRs) listed in the US (which includes any public company required to file reports with the Securities and Exchange Commission or that has filed a registration statement in the US for a public offering of securities); or
- 'play a substantial role in the preparation or furnishing of an audit report' on such companies.
The PCAOB defines the latter as being responsible for 20% or more of total audit hours or audit fees, or for performing the majority of the audit procedures with respect to a subsidiary or component of any issuer, which 'constitute 20% or more of the consolidated assets or revenues of such issuer necessary for the principal accountant to issue an audit report on the issuer'.
Thus, any firm auditing an unlisted UK subsidiary of a listed US company (or of a UK company with a secondary US listing) could be required to register if the subsidiary is fairly large relative to the group as a whole and the parent auditor relies on the UK auditor's report for group audit purposes. If in doubt, we suggest you contact the primary group auditor for clarification.
If you need to register, it covers the whole audit firm. Individual offices do not need to register, but international affiliations which comprise a series of legally separate national or regional firms will have to register separately if they are included in the scope.
The process involves payment of a fee and completion of a lengthy form. The form, together with instructions and Q&As, is available on the PCAOB website. The form itself can be completed online after obtaining an ID from the PCAOB.
Information requested includes details of:
- the audit firm and its offices;
- the relevant clients it is responsible for;
- individuals at manager level or above who take part in the relevant audits;
- the total number of partners and employees; and
- pending and past legal and other proceedings relating to audits.
The firm also has to consent to be subject to the oversight by the PCAOB.
During the initial consultation period, ICAEW pointed out that there are major legal constraints in disclosing data relating to individuals, particularly outside of the European Union. The PCAOB subsequently recognised in its registration rules that there are legal issues outside the US and allows non-disclosure provided certain requirements are complied with.
The items contained in Parts I-VII of the form require disclosure of specific information. Item 8.1 of the form requires the firms to provide a general consent to complying with future requests for information or cooperation by the PCAOB, and to obtain the same consents from their associated persons.
UK firms will need to consider whether the information required to be disclosed to the PCAOB in various elements of the application form (particularly Parts V and VII) can be legally disclosed within the constraints of the Data Protection Act 1998. We understand there are a number of issues.
- In order to comply with the requirements of that Act, where information in the registration application form relates to individuals, their specific, informed and freely-given consent is necessary.
- Some information required may be protected by confidentiality laws, including audit client information.
- In order to provide certain information on the form, firms will need to seek the prior consent of their audit clients.
- Compliance with future requests of the PCAOB in connection with Item 8.1, may, depending on what is requested, breach a variety of English laws, including data protection, client and third party confidentiality laws.
- Given the generality of Item 8.1, in that associated persons are requested to consent to disclosure of 'any information at any time in the future', as regards disclosure of their own personal information, we understand this would not be a valid consent under the Data Protection Act as it is not sufficiently specific.
- Enforcing Item 8.1 consent against associated persons of the firm (for example, by dismissing them or removing them from US issuer audit work) may trigger further breaches of laws, including employment laws.
The PCAOB registration requirements permit non-disclosure of information where such disclosure would result in a breach of local law, with certain conditions. Where the application is incomplete, for example, in respect of Item 8.1 or where other consents have been withheld on legal grounds, the PCAOB needs to be provided with:
- a legal opinion obtained by the firm outlining the relevant legal impediments to the firm responding to the Items of the form;
- a copy of the relevant legislation; and
- an explanation (where relevant) of the steps taken to obtain consents and waivers to overcome any legal impediments identified.
We are aware that a number of affected firms have been able to collaborate in groups, to obtain the relevant legal advice.
Costs, timing and ongoing reporting
Registration requires the payment of a registration fee (which will not be refunded even if registration is refused) based on the number of issuer clients. However, this only becomes large when the firm has more than 100 issuer clients, which is unlikely to impact on even the largest UK audit firms. Fees vary from year to year.
The more significant costs for firms to assess when considering registration, are likely to be the internal administrative costs involved in the initial gathering of information, ongoing maintenance and extra regulatory oversight.
Registered firms will need to keep the information up to date, using forms 2, 3 and AP.
Form 2, in essence, needs to be sent in every year by 30 June (starting in 2010), containing similar information to the initial registration form. The legal disclosure issues that applied to the initial form, described separately, also apply.
Form 3 is a special report form which needs to be sent to the PCAOB when certain events have happened: withdrawal of an audit report; association with suspended firms or people; certain legal proceedings; change in licence status; etc.
Form AP took effect in 2107 and requires information to be disclosed on the name of the partner signing the report and details of other accounting firms involved.
Forms 2, 3 and AP, together with general instructions are available on the PCAOB website.
Note that we have been advised by the PCAOB that the annual submission of form 2 does not require a new, annual legal opinion where local national law prohibits affirmative answers to all of the questions. Provided the firm has reason to believe that the national law has not changed since the original legal opinion was obtained for submitting form 1, that original opinion remains valid.
Although attempts continue through the European Union to achieve mutual recognition arrangements in respect of registration, UK firms wishing to audit entities within the PCAOB's remit currently need to register directly with them. This does not impact in any way on the requirements relating to registration with ICAEW in respect of UK audits.
Firms intending to commence audit work on companies within the PCAOB's scope may register at any point providing they have completed registration before they 'prepare or issue audit reports on U.S. public companies or participate in such audits'.
Continued regulatory oversight and inspections
ICAEW, the Financial Reporting Council and the European Commission have been involved in discussions with the Board to see how its impact on non-US audit firms might be minimised. The PCAOB issued an initial briefing paper and subsequent rules on oversight of non-US audit firms aiming to 'develop an efficient and effective co-operative arrangement where reliance may be placed on the home countries' system to the maximum extent possible'.
Commentary on dealing with non-US firms is available at the PCAOB's website, but the key aspects of regulatory oversight are summarised below:
- The PCAOB has established its own inspectorate to undertake monitoring of audits undertaken by firms registered with it, in a similar manner to that which ICAEW has performed over the years, through the Quality Assurance Directorate. The PCAOB carries out inspections of UK firms registered with it, directly.
- The PCAOB seeks to cooperate with the local inspection process (normally the Audit Inspection Unit in the UK). Usually it agrees the inspection work program in advance, it may require a PCAOB inspector to be involved depending on the circumstances, and would expect to review elements of the work papers resulting from the inspection.
- In principle the Board can undertake its own investigations of firms registered with it and would require co-operation. It can impose civil penalties including fines, suspension or withdrawal of registration, suspension of individuals from working on clients within its scope or detailed remedial requirements.
- However, the Board has recognised that unnecessarily duplicative investigations and disciplinary sanctions are undesirable and it will seek to rely, where possible, on local investigatory systems and ensuing sanctions. It does however reserve the right to conduct its own investigations and impose further sanctions should they be believed to be necessary, taking into account what has happened locally.
Access to audit working papers
National laws differ as to whether the PCAOB can be granted access to audit working papers of non-US audit firms that relate to a US audit. UK audit firms can grant access to their audit working papers if requested by the US authorities, under certain conditions.
As a result of amendments to section 106 of the US Sarbanes-Oxley Act, where a US audit firm relies on material work by a non-US audit firm, it must now be able to produce the audit working papers of the non-US firm if the PCAOB or SEC require it.
US firms may therefore be requesting consent from their non-US affiliates to produce these working papers on request. However, there are issues with UK law about access to UK information: UK firms registering with the PCAOB will have submitted a legal opinion confirming that they cannot agree to unrestricted requests for information, under UK law. This opinion remains valid.
The question arises therefore as to whether UK audit firms can sign such consents and produce the audit working papers on demand.
Conditions for granting access
Developments in early 2011 have clarified the position as regards UK audit firms and allow access to be granted under certain conditions.
The key documents are:
- SI 2010/2537 (Transfer of Audit Working Papers to Third Countries) Regulations 2010
- ICAEW Audit Regulation 3.14, which effectively mirrors the law, and
- The Statement of Protocol between the Public Company Accounting Oversight Board of the United States and the Financial Reporting Council (FRC) of the United Kingdom, dated 10 January 2011.
In essence, these allow UK audit working papers requested by the PCAOB to be transferred to them under certain conditions. That is, that audit working papers and other documents requested by the PCAOB can only be transferred to the PCAOB
- by the FRC;
- by the firm with the clear agreement of the FRC; or
- in exceptional cases, directly to the PCAOB by the firm, provided that (amongst other things) PCAOB informs the FRC in advance the other Party of each direct request for information, indicating the reasons thereof.
From a practical aspect, the FRC has agreed with the PCAOB that routine requests for information - for example for registration with the PCAOB - can go directly to the firms, copied to Audit Quality Review (AQR), but that other requests that might involve audit working paper transfer should come to the FRC. To put it another way, PCAOB should not be asking the US audit firms to get them for them.
Consent and caveat
The SEC acknowledges potential conflicts with non-US legislation and has approved a form of consent that allows consent to be signed with the caveat that it is 'to the extent permitted by local law'.
Given that all this derives from local law, we are of the view that there would be no harm signing the undertaking asked for provided it does have the important caveat: 'to the extent permitted by applicable law'. However, it might be sensible to add 'and in accordance with the Statement of Protocol between the Public Company Accounting Oversight Board of the United States and the Financial Reporting Council of the United Kingdom, dated 10 January 2011'.
Join the Audit & Assurance Faculty
Stay ahead of the rest with our comprehensive package of essential guidance and technical advice.