Information Regarding the PCAOB's Use of Personal Data
The Public Company Accounting Oversight Board (PCAOB) is an independent, non-profit corporation established by the Sarbanes-Oxley Act of 2002 (the Act) to oversee the audits of public companies (issuers) and brokers and dealers in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports. The PCAOB is not an agency of the U.S. government. In addition, the U.S. Securities and Exchange Commission (SEC), a governmental body, oversees the PCAOB’s regulatory activities set forth under the Act.
How might the PCAOB obtain and use my data?
The PCAOB obtains personal data reported by individuals and entities as part of its process for registering public accounting firms and annual reporting by these firms. Personal data received may include the names of firm personnel, firm clients’ personnel, business and mailing addresses, phone numbers, and accounting license numbers.
The PCAOB also may obtain personal data from registered public accounting firms and persons associated with these firms in connection with certain of its regulatory activities. These regulatory activities include:
- Inspecting registered public accounting firms, including non-U.S. firms, to assess compliance with the Act, PCAOB rules, professional standards, and other federal securities rules and regulations governing the audits of issuers and SEC-registered brokers and dealers; and
- Investigating and bringing enforcement actions against registered public accounting firms and their associated persons for violations of the Act, PCAOB rules, professional standards, and other federal securities laws relating to the preparation and issuance of audit reports and related obligations and liabilities of accountants, including SEC rules and regulations.
For example, a registered public accounting firm may document in its work papers information about an issuer when auditing the issuer’s financial transactions. PCAOB inspectors may then review those work papers to determine if the firm complied with PCAOB standards and other federal securities rules and regulations when performing the audit of the issuer’s financial statements, such as complying with independence rules.
In an enforcement context, the PCAOB may obtain personal data through the testimony of witnesses, the production of audit work papers or other documents, and the inspection of the books and records of any registered firm or associated person. The PCAOB may use personal data during an investigation of the audit performed by the registered public accounting firm to determine whether the Act or other federal securities laws are being complied with and, where appropriate, to establish that violations exist.
Sometimes, the PCAOB may simply review information in a firm’s work papers. Other times, the PCAOB will retain a copy of certain information in the firm’s work papers to substantiate the existence of a deficiency in the firm’s audit in order to support the issuance of a PCAOB inspection report. The PCAOB may also request certain information in connection with an investigation of the firm. That information is stored in the PCAOB’s information systems as required by the PCAOB’s document retention policies.
The PCAOB may obtain personal data for its inspections and enforcement activities from the SEC or another federal agency, appropriate state attorneys general or state regulatory authorities, self-regulatory organizations, and from publicly available sources. The PCAOB also enters into cooperative arrangements with foreign audit oversight authorities (FAOAs). A FAOA may transfer information to the PCAOB, including if the PCAOB is performing an inspection or investigation/disciplinary proceeding of a non-U.S. firm located in that country, and the non-U.S. firm provides information to the FAOA for the purpose of providing the information to the PCAOB.
Registered public accounting firms and their associated persons are under an obligation to comply with PCAOB requests for information in connection with an inspection or an investigation/disciplinary proceeding. A registered public accounting firm that fails to produce documents, or otherwise cooperate in a PCAOB inspection or investigation is subject to disciplinary action, up to and including the revocation of the registered public accounting firm’s ability to perform audits of U.S. issuers or broker-dealers. An associated person that fails to produce documents, or otherwise cooperate in a PCAOB inspection or investigation may be prohibited from associating with any registered public accounting firm. There is no exception in the Act or PCAOB rules that would permit a registered public accounting firm or associated person thereof to decline to cooperate on the basis that the information contains personal data of non-U.S. persons. The PCAOB historically has taken a cooperative approach to conducting inspections and investigations of audits performed by non-U.S. firms, including entering into cooperative arrangements with FAOAs to resolve legal conflicts, including agreements relating to processing personal data.
The PCAOB does not use personal data in a manner that is incompatible with its regulatory purposes.
We do not use regulatory data, including personal data, for commercial purposes.
How does the PCAOB protect my data?
All documents and information (including personal data) received by the PCAOB in connection with its inspection and enforcement activities are privileged and confidential, and exempt from disclosure unless (1) made available in appropriate detail in a written report on the findings of a PCAOB inspection, subject to statutory confidentiality restrictions; or (2) presented in accordance with a public proceeding (e.g., a disciplinary proceeding or a trial). A disclosure of information may also be made if and to the extent it is necessary to carry out the Board’s statutory responsibility to conduct investigations according to fair procedures. For example, the PCAOB staff may show documents received by the PCAOB to a witness as part of an investigation proceeding.
The PCAOB provides information security protections for the personal data that it receives to protect it against accidental or unlawful access; destruction, loss, or alteration; or unauthorized disclosure. Those protections include technical and organizational security measures.
The ability of the PCAOB to share personal data received from registered public accounting firms is limited under the Act. Specifically, the PCAOB is restricted in its ability to transfer regulatory data to third parties:
- The PCAOB may transfer to the SEC personal data received through the PCAOB’s inspection and enforcement activities to support the SEC’s oversight of public accounting firms or the SEC’s oversight of the PCAOB. The PCAOB may also transfer personal data it has obtained in inspections and investigations to the SEC in support of its oversight of other regulated entities or persons subject to the U.S. federal securities laws.
- The PCAOB may also transfer personal data obtained to specific law enforcement and regulatory authorities identified in the Act to support their regulatory and enforcement efforts, but only where the Board determines that it is necessary to accomplish
the purposes of the Act or to protect investors.
Those authorities include: (i) the U.S. Attorney General or attorney general of one or more states; (ii) appropriate federal functional regulators; (iii) appropriate state regulators; (iv) appropriate self-regulatory authorities; and (v) FAOAs meeting certain criteria specified in the Act.
For the U.S. regulatory entities in that list, the Act directs the recipient to maintain the information as confidential and privileged, subject to the exception for public proceedings.
The PCAOB cooperates with certain FAOAs that are subject to data protection laws over personal data by entering into a bilateral data protection agreement. These agreements include safeguards, such as use restrictions, notification provisions regarding potential sharing of information, and redress mechanisms to address concerns over processing of personal data. Additional information about safeguards over personal data may be found in the data protection agreements entered into with respective FAOAs.