Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Agreement between FRC and PCAOB on the Transfer of Certain Personal Data

Agreement between the Financial Reporting Council in the United Kingdom and the Public Company Accounting Oversight Board in the United States of America on the Transfer of Certain Personal Data

The Financial Reporting Council (FRC) and the Public Company Accounting Oversight Board (PCAOB), each a "Party", together the "Parties”, acting in good faith, will apply the safeguards specified in this data protection agreement ("Agreement") relating to the transfer of personal data, recognizing the importance of the protection of personal data and of having robust regimes in place for the protection of personal data, having regard to the Data Protection Act 2018 (DPA 2018) and the UK GDPR (including, without limitation, Article 46(3)) (together, "UK data protection law"), having regard to European Union (Withdrawal) Act 2018, ss 2 and 3, retaining Article 47 Directive 2006/43/EC of the European Parliament and of the Council having regard to the PCAOB's responsibilities and authority under the Sarbanes-Oxley Act of 2002, as amended (the “Sarbanes-Oxley Act"), having regard to the relevant legal framework for the protection of personal data in the jurisdiction of the Parties and acknowledging the importance of regular dialogue between the Parties, having regard to the need to process personal data to carry out the public mandate and the exercise of official authority vested in the Parties, and having regard to the need to ensure efficient international cooperation between the Parties acting in accordance with their mandates as defined by applicable laws, have reached the following understanding:

ARTICLE I - DEFINITIONS

For purposes of this Agreement:

a "ICO" means the Information Commissioner's Office. The ICO is the UK's data protection authority;

b "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, an identification number, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity;

c "personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

d "processing of personal data" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction of processing, erasure or destruction;

e "profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

f "sharing of personal data" means the sharing of personal data by a receiving Party with a third party in its country consistent with Article IV paragraphs 6-7 of the SOP;

g "special categories of personal data/sensitive data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and data concerning health or sex life and data relating to criminal convictions and offences or related security measures based on Articles 9(1) and 10 of the UK GDPR, and sections 10 and 11 of the DPA 2018, in relation to individuals;

h "SOP" or "Statement" means the Statement of Protocol between the PCAOB and the FRC to facilitate cooperation and the exchange of information1;

i "data subject rights" in the Agreement refers to the following2:

"right not to be subject to automated decisions, including profiling" means a data subject's right not to be subject to legal decisions being made concerning him or her based solely on automated processing;

  • "right of access” means a data subject's right to obtain from a Party confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, to access the personal data;
  • "right of erasure” means a data subject's right to have his or her personal data erased by a Party where the personal data are no longer necessary for the purposes for which they were collected or processed, or where the data have been unlawfully collected or processed;
  • "right of information” means a data subject's right to receive information on the processing of personal data relating to him or her in a concise, transparent, intelligible and easily accessible form;
  • "right of objection" means a data subject's right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her by a Party, except in cases where there are compelling legitimate grounds for the processing that override the grounds put forward by the data subject or for the establishment, exercise or defence of legal claims;
  • "right of rectification” means a data subject's right to have the data subject's inaccurate personal data corrected or completed by a Party without undue delay;
  • "right of restriction of processing” means a data subject's right to restrict the processing of the data subject's personal data where the personal data are inaccurate, where the processing is unlawful, where a Party no longer needs the personal data for the purposes for which they were collected or where the personal data cannot be deleted.

ARTICLE II - PURPOSE AND SCOPE OF THE AGREEMENT

The purpose of this Agreement is to provide appropriate safeguards with respect to personal data transferred by the FRC to the PCAOB pursuant to Article 46(3)(b) of the UK GDPR and in the course of cooperation pursuant to the SOP. The Parties agree that the transfer of personal data by the FRC to the PCAOB shall be governed by the provisions of this Agreement and are committed to having in place the safeguards described in this Agreement for the processing of personal data in the exercise of their respective regulatory mandates and responsibilities. This Agreement is intended to supplement the SOP between the Parties.

Each Party confirms that it has the authority to act consistently with the terms of this Agreement and that it has no reason to believe that existing applicable legal requirements prevent it from doing so.

This Agreement does not create any legally binding obligations, confer any legally binding rights, nor supersede domestic law. The Parties have implemented, within their respective jurisdictions, the safeguards set out in this Agreement in a manner consistent with applicable legal requirements. Parties provide safeguards to protect personal data through a combination of laws, regulations and their own internal policies and procedures.

ARTICLE III – DATA PROCESSING PRINCIPLES

1. Purpose limitation

Personal data transferred by the FRC to the PCAOB may be processed by the PCAOB itself only to fulfil its audit regulatory functions in accordance with the Sarbanes-Oxley Act, i.e., for the purposes of auditor oversight, inspections and investigations of registered audit firms and their associated persons subject to the regulatory jurisdiction of the PCAOB and the FRC. The onward sharing, including the purpose for such sharing, of such data by the PCAOB, will be consistent with the Sarbanes-Oxley Act and is governed by paragraph 7 below. The PCAOB will not process personal data it receives from the FRC for any purpose other than as set forth in this Agreement.

2. Data quality and proportionality

The Parties shall make all reasonable efforts to ensure that the personal data transferred by one Party to the other is adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed. A Party will inform the other Party without undue delay if it learns that previously transmitted or received information is inaccurate and/or must be updated. In such case, the Parties will make any appropriate corrections to their respective files, having regard to the purposes for which the personal data have been transferred, which may include supplementing, erasing, restricting the processing of, correcting or otherwise rectifying the personal data as appropriate.

The Parties acknowledge that the PCAOB primarily seeks information relating to the professional activities of the individual persons who were responsible for or participated in the audit engagements selected for review during an inspection or an investigation, or who play a significant role in the firm's management and quality control, including but not limited to these individuals' names, titles, positions, employment history, training/certifications, work assignments and other basic personal identifiers. Such information would be used by the PCAOB in order to assess the degree of compliance of the registered accounting firm and its associated persons with the Sarbanes-Oxley Act, the securities laws relating to the preparation and issuances of audit reports, the rules of the PCAOB, the rules of the SEC and relevant professional standards in connection with its performance of audits, issuances of audit reports and related matters involving issuers (as defined in the Sarbanes-Oxley Act).

The personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed, or for the time as required by applicable laws, rules and regulations. The Parties shall have in place appropriate record disposal procedures for all information received pursuant to this Agreement.

3. Transparency

Both Parties will publish this Agreement on their websites. Both parties will also provide to data subjects information relating to the transfer and further processing of personal data, in accordance with and within the limitations of their respective legal obligations. If after consideration of any applicable legal obligations or limitations therein, the FRC concludes that it is required to inform a data subject of the transfer of his/her personal data to the PCAOB, the FRC will notify the PCAOB in advance of informing the data subject.

4. Security and confidentiality

The Parties acknowledge that in Annex 1, the PCAOB has provided information describing its technical and organizational security measures deemed adequate by the other Party to guard against accidental or unlawful destruction, loss, alteration, disclosure of, or access to, the personal data. The PCAOB agrees to notify the other Party of any change to the technical and organizational security measures that would weaken the protection provided for personal data and to update the information in Annex 1 in accordance with Article IV, paragraph 3 of the SOP if such changes are made. In the case that the PCAOB provides such notification to the FRC, the FRC would inform the ICO of such changes if it considers that it is necessary to do so.

The PCAOB provided to the FRC a description of its applicable laws and/or rules relating to confidentiality and the consequences for any unlawful disclosure of non-public or confidential information or suspected violations of these laws and/or rules.

In the case where a receiving Party becomes aware of a personal data breach affecting personal data that has been transferred under this Agreement, it will without undue delay and, where feasible, not later than 24 hours after having become aware that it affects such personal data, notify the personal data breach to the other Party. The notifying Party shall also as soon as possible use reasonable and appropriate means to remedy the personal data breach and minimize the potential adverse effects.

5. Data subject rights

A data subject whose personal data has been transferred to the PCAOB can exercise his/her data subject rights as defined in Article 1(i) including by requesting that the FRC identify any personal data that has been transferred to the PCAOB and requesting that the FRC confirm with the PCAOB that his/her personal data is complete, accurate and, if applicable, up-to-date, and the processing is in accordance with the personal data processing principles in this Agreement. A data subject may exercise his/her data subject rights by making a request directly to the FRC:

  • by e-mail to [email protected];
  • by post to: 8th Floor, 125 London Wall, London, EC2Y 5AS

The PCAOB will address in a reasonable and timely manner any such request from the FRC concerning any personal data transferred by the FRC to the PCAOB. Either Party may take appropriate steps, such as charging reasonable fees to cover administrative costs or declining to act on a data subject's request that is manifestly unfounded or excessive. The FRC will provide information to the data subject on the action taken on a request within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The FRC will inform the data subject of any such extension within one month of receipt of the request.

Should the data subject wish to contact the PCAOB, he/she may send an email to: [email protected].

Safeguards relating to data subject rights are subject to a Party's legal obligation not to disclose

confidential information pursuant to professional secrecy or other legal obligations. These safeguards may be restricted to prevent prejudice or harm to supervisory or enforcement functions of the Parties acting in the exercise of the official authority vested in them, such as for the monitoring or assessment of compliance with the Party's applicable laws or prevention or investigation of suspected offenses; for important objectives of general public interest, as recognized in the United States and in the United Kingdom, including in the spirit of reciprocity of international cooperation; or for the supervision of regulated individuals and entities. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist. The PCAOB agrees that it will not take a legal decision concerning a data subject based solely on automated processing of personal data, including profiling, without human involvement.

6. Special categories of personal data/sensitive data

Special categories of personal data/sensitive data, as defined in Article I(g), shall not be transferred by the FRC to the PCAOB.

7. Onward sharing of personal data

The PCAOB will only share personal data received from the FRC with those entities identified in Article IV paragraphs 6 and 7 of the SOP.3 In the event that the PCAOB intends to share any personal data with any third party identified in Article IV paragraph 7 of the SOP, other than the U.S. Securities and Exchange Commission, the PCAOB will request the prior written consent of the FRC and will only share such personal data if the third party provides appropriate assurances that are consistent with the safeguards in this Agreement. When requesting such prior written consent, the PCAOB should indicate the type of personal data that it intends to share and the reasons and purposes for which the PCAOB intends to share personal data. If the FRC does not provide its written consent to such sharing within a reasonable time, not to exceed ten days, the PCAOB will consult with the FRC and consider any objections it may have. If the PCAOB decides to share the personal data without the FRC's written consent, the PCAOB will notify the FRC of its intention to share. The FRC may then decide whether to suspend the transfer of personal data and, to the extent that it decides to suspend such transfers, the FRC will inform accordingly the UK data protection authority should it consider that it is necessary to do so. Where the appropriate assurances referred to above cannot be provided by the third party, the personal data may be shared with the third party in exceptional cases if sharing the personal data is for important reasons of public interest, as recognized in the United States and in the UK, including in the spirit of reciprocity of international cooperation, or if the sharing is necessary for the establishment, exercise or defense of legal claims.

Before sharing personal data with the U.S. Securities and Exchange Commission, the PCAOB will obtain from the U.S. Securities and Exchange Commission appropriate assurances that are consistent with the safeguards in this Agreement. In addition, the PCAOB will periodically inform the FRC of the nature of personal data shared and the reason it was shared if the PCAOB has shared any personal data subject to this Agreement with the U.S. Securities and Exchange Commission, if providing such information will not risk jeopardizing an ongoing investigation.

8. Redress

Any dispute or claim brought by a data subject concerning the processing of his or her personal data pursuant to this Agreement may be made to the FRC, the PCAOB, or both, as may be applicable. Each Party will inform the other Party about any such dispute or claim, and will use its best efforts to amicably settle the dispute or claim in a timely fashion.

Any concerns or complaints regarding the processing of personal data by the PCAOB may be reported directly to the PCAOB Center for Enforcement Tips, Referrals, Complaints and Other Information, specifically through the Tips & Referral Center, where information may be provided through an online form on the web site, or via electronic mail, letter or telephone, or, alternatively may be reported to the FRC by sending such information to [email protected]. The PCAOB will inform the FRC of reports it receives from data subjects on the processing of his/her personal data that was received by the PCAOB from the FRC and will consult with the FRC on a response to the matter.

If a Party or the Parties is/are not able to resolve a concern or complaint made by a data subject regarding the processing of personal data by the PCAOB received through the Tips & Referral Center and the data subject's concern or complaint is not manifestly unfounded or excessive, a data subject, the Party or Parties may use an appropriate dispute resolution mechanism conducted by an independent function within the PCAOB. The decision reached through this dispute resolution mechanism may be submitted to a second independent review, which would be conducted by a separate independent function. The dispute resolution mechanism and the process for the second review are described in Annex III to this agreement. Under this Agreement, the data subject may exercise his or her rights for judicial or administrative remedy (including damages) according to UK data protection law.

In situations where the FRC is of the view that the PCAOB has not acted consistently with the safeguards set out in this Agreement, the FRC may suspend the transfer of personal data under this Agreement until the issue is satisfactorily addressed and may inform the data subject thereof. Before suspending such transfers, the FRC will discuss the issue with the PCAOB and the PCAOB will respond without undue delay.

9. Oversight

Each Party will conduct periodic reviews of its own policies and procedures that implement the safeguards over personal data described in the Agreement. Upon reasonable request from the other Party, a Party will review its policies and procedures to ascertain and confirm that the safeguards specified in this Agreement are being implemented effectively and send a summary of the review to the other Party.

Upon request by the FRC to conduct an independent review of the compliance with the safeguards in the Agreement, the PCAOB will notify the Office of Internal Oversight and Performance Assurance (“IOPA”), which is an independent office of the PCAOB, to perform a review to ascertain and confirm that the safeguards in this Agreement are being effectively implemented. IOPA will conduct the review according to the procedures and standards established and used by IOPA to perform its regular mandate, as further described in Annex IV to this Agreement. For purposes of its independent review, IOPA will be informed of any dispute or claim brought by a data subject concerning the processing of his or her personal data pursuant to section 8 of this Article, including PCAOB staff actions taken to implement decisions resulting from a dispute resolution mechanism. IOPA will provide a summary of the results of its review to the FRC once the PCAOB's governing Board approves the disclosure of the summary to the FRC.

Where the FRC has not received IOPA's results of its review and is of the view that the PCAOB has not acted consistent with the safeguards specific to its obligations under this Agreement, the FRC may suspend the transfer of personal data to the PCAOB under this Agreement until the issue is satisfactorily addressed by the PCAOB. Before suspending transfers, the FRC will discuss the issue with the PCAOB and the PCAOB will respond without undue delay. In the event that the FRC suspends the transfer of Personal Data to the PCAOB, or resumes transfers after any such suspension, the FRC shall promptly inform the ICO.

ARTICLE IV- ENTRY INTO EFFECT AND TERMINATION

This Agreement comes into force from the date of signature and shall remain in force only during the period the SOP is also in force. This Agreement supersedes any previous Agreement between the Parties in relation to the sharing of personal data. The Parties may consult and revise the terms of this Agreement whenever deemed useful and in particular in the event of a substantial change in the law, regulations or practices affecting the operation of this Agreement.

This Agreement may be terminated by either Party at any time. After termination of this Agreement, the Parties shall continue to maintain as confidential, consistent with Article IV of the SOP, any information provided under the SOP. After termination of this Agreement, any personal data previously transferred under this Agreement will continue to be handled by the PCAOB according to the safeguards set forth in this Agreement. The Parties acknowledge that, under section 105(b)(5) of the Sarbanes-Oxley Act, termination of this Agreement and the SOP would limit the PCAOB's ability to share confidential information with the FRC in connection with applying the relevant safeguards set forth in this Agreement.

The FRC will promptly notify the UK data protection authority of any amendment or termination of this Agreement.

Signatures of Erica Y. Williams, Chair of PCAOB, and Richard Moriarty, CEO of FRC, with their names, titles, organizations, and signing dates.

Annexes to the Agreement between the Financial Reporting Council in the United Kingdom and the Public Company Accounting Oversight Board in the United States of America on the Transfer of Certain Personal Data

  • Annex I: PCAOB Description of Information Technology Systems/Controls [CONFIDENTIAL]
  • Annex II: List of Entities with whom the PCAOB is permitted to onward share confidential information
  • Annex III: Description of Applicable Dispute Resolution Processes (Redress)
  • Annex IV: Description of Oversight over PCAOB implementation of DPA safeguard

Annex II: List of Entities with whom the PCAOB is permitted to onward share confidential information

The third parties with whom the PCAOB may onward share personal data referenced in Article III, section 7 of the Data Protection Agreement are enumerated in Section 105(b)(5)(B) of the Sarbanes-Oxley Act of 2002, as amended, which states:

  1. Availability to government agencies.— Without the loss of its status as confidential and privileged in the hands of the Board, all information referred to in subparagraph (A) [of Section 105(b)(5)] may—
    1. be made available to the [Securities and Exchange Commission]; and
    2. in the discretion of the Board, when determined by the Board to be necessary to accomplish the purposes of this Act or to protect investors, be made available to—
      1. the Attorney General of the United States;
      2. the appropriate Federal functional regulator4 (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)), other than the [Securities and Exchange Commission], and the Director of the Federal Housing Finance Agency, with respect to an audit report for an institution subject to the jurisdiction of such regulator;
      3. State attorneys general in connection with any criminal investigation;
      4. any appropriate State regulatory authority5; and
      5. a self regulatory organization, with respect to an audit report for a broker or dealer that is under the jurisdiction of such self regulatory organization,

each of which shall maintain such information as confidential and privileged.

Annex III: Description of Applicable Dispute Resolution Processes (Redress)

The PCAOB's redress mechanism referenced in the data protection agreement (DPA) allows a data subject to seek redress of unresolved claims or disputes about the PCAOB's processing of his or her personal data received under the DPA. The redress mechanism includes two levels of review. As described in the DPA, the first level of review will take place in front of an independent function within the PCAOB (the PCAOB Hearing Officer) and the second level of review will take place in front of an independent function contracted by the PCAOB (a hearing officer outsourced from an independent entity).

1. First Level of Redress – PCAOB Hearing Officer

The PCAOB Hearing Officer serves as the independent, impartial reviewer of fact in a formal administrative proceeding requiring an authoritative decision. The PCAOB Hearing Officer is an attorney who is employed by the PCAOB and subject to the PCAOB Ethics Code and the restrictions under Section 105(b)(5) of the Sarbanes-Oxley Act (Act), including with respect to handling of confidential and non-public information, but is independent of all PCAOB Divisions and Offices responsible for requesting and processing personal data in connection with the PCAOB's oversight activities. In exercising his or her duties, the PCAOB Hearing Officer has a responsibility to act with honor and integrity so that all rulings, decisions, conclusions and judgments therein are fair and impartial. These fundamental attributes of necessary and appropriate authority, independence, objectivity, impartiality, and fairness are applicable to the redress mechanism.

The following features of the PCAOB's Office of the Hearing Officer and PCAOB rules are designed to ensure the PCAOB Hearing Officer's independence:

  • The PCAOB's Office of the Hearing Officer hires and maintains its own staff, and both the PCAOB Hearing Officer and staff are kept physically separate from other PCAOB staff. The PCAOB is obligated to provide appropriate funding and resources to the PCAOB's Office of the Hearing Officer.
  • Board members and PCAOB staff are specifically prohibited from attempting to improperly influence the PCAOB Hearing Officer's decisions (in the litigation of a matter, staff may only provide evidence and arguments on notice and with opportunity for all parties to participate). Breaches of this requirement would subject staff to discipline under the PCAOB Ethics Code.
  • A PCAOB Hearing Officer may not be terminated or removed from a case to influence the outcome of a proceeding, and termination of the PCAOB Hearing Officer requires approval of the U.S. Securities and Exchange Commission.
  • All decisions about the PCAOB Hearing Officer's performance and compensation may not consider the outcome of proceedings.

The PCAOB Hearing Officer would independently review the merits of a formal complaint as to whether the PCAOB staff complied with the safeguards described in the DPA when processing the data subject's personal data and issue an authoritative decision within a reasonable time.

Under the first level of redress, a data subject would submit a formal complaint to the PCAOB Office of the Hearing Officer describing with specificity the data subject's claims or disputes about the PCAOB's processing of his or her personal data. The PCAOB staff involved in the processing of the data subject's personal data would file a response to the complaint, and the PCAOB counterpart to the DPA may submit a response to describe its involvement with respect to the processing and transfer of the personal data at issue. The data subject would receive a copy of all responses submitted to the PCAOB Hearing Officer, except that any information that is confidential under Section 105(b)(5) of the Act would have to be redacted. The PCAOB Hearing Officer would review the formal complaint and responses and make an authoritative decision on any disputed facts presented as to whether PCAOB staff complied with the safeguards described in the DPA when processing the personal data at issue.

The first level of redress would conclude when the PCAOB Hearing Officer issues a written decision regarding the data subject's complaint. If the PCAOB Hearing Officer concludes the PCAOB staff did not comply with the safeguards in the DPA that are the subject of the complaint, the PCAOB Hearing Officer will order the PCAOB staff to comply with the respective safeguards. The PCAOB Hearing Officer's decision in favor of the data subject is binding on the PCAOB staff, and the PCAOB or its staff may not seek further review of the PCAOB Hearing Officer's decision. All parties involved would receive the results of the administrative proceeding, and the data subject would receive a form of the formal decision prepared in compliance with the confidentiality restrictions under Section 105(b)(5) of the Act. When informed of the PCAOB Hearing Officer's decision, the data subject also will be provided with notice of the second level of redress described below and information about the process for commencing such second level of redress.

2. Second Level of Redress – Hearing Officer Outsourced from an Independent Entity

The second level of redress established by the PCAOB will afford a data subject an opportunity to seek a review of the formal decision issued by the PCAOB Hearing Officer. The PCAOB will utilize the services of an independent entity, with whom the PCAOB has contracted for similar services in the past, to provide hearing officer services for the second level of redress. These hearing officers are experienced attorneys, who, while performing services for the PCAOB under the agreement, are subject to PCAOB rules — including the PCAOB Ethics Code and independence and impartiality measures under PCAOB adjudicatory rules. Pursuant to a contract, upon the PCAOB's request, the independent entity would provide one of its hearing officers to preside independently and impartially over any redress matter. A hearing officer retained to preside over the second level of redress would be designated as a “redress reviewer" and would execute an enforceable non-disclosure agreement with the PCAOB to confirm the retained hearing officer will adhere to the confidentiality restrictions under Section 105(b)(5) of the Act when reviewing confidential information received during the redress proceeding.

To obtain a second level of redress, the data subject must file a petition with the PCAOB's Office of the Secretary no later than 30 days after service of the PCAOB Hearing Officer's decision. The petition shall identify alleged errors or deficiencies in the PCAOB Hearing Officer's decision from the first level of redress. The PCAOB's Secretary will promptly (within 30 days) issue an order assigning the matter to the independent entity, which will designate a hearing officer to serve as the redress reviewer.

The redress reviewer will receive supporting arguments and any additional supporting documentation from each party involved (including the data subject, PCAOB counterpart to the DPA, and PCAOB staff). As with the first level of redress, the data subject will receive a copy of all responses submitted to the redress reviewer, except that any information that is confidential under Section 105(b)(5) of the Act would be redacted.

Based on the parties' submissions and the underlying record, the redress reviewer shall consider whether the PCAOB's Hearing Officer's findings and conclusions were arbitrary and capricious, or otherwise not in accordance with the DPA. At the conclusion of the review and within a reasonable time, the redress reviewer shall issue a written decision addressing the data subject's challenges to the underlying decision. If the decision concludes that the PCAOB staff did not comply with the safeguards in the DPA, the redress reviewer will order the PCAOB staff to comply with the respective safeguards. The redress reviewer's decision shall serve as the final determination in the matter.

Annex IV: Oversight over PCAOB implementation of DPA safeguards

Under the data protection agreement (DPA), independent oversight over the PCAOB's compliance with the safeguards provided in the DPA is provided by the PCAOB's Office of Internal Oversight and Performance Assurance (“IOPA" or the "Office”).7

IOPA is an independent office within the PCAOB that is charged with “providing internal examination of the programs and operations of the PCAOB to help ensure the internal efficiency, integrity, and effectiveness of those programs and operations. The assurance provided by the Office is intended to promote the confidence of the public, the Securities and Exchange Commission, and Congress in the integrity of PCAOB programs and operations."8

To achieve its mission, among other actions, IOPA must identify risks to the efficiency, integrity, and effectiveness of PCAOB programs and operations, and, based on its risk assessment, conduct performance and quality assurance reviews, audits, and inquiries to detect and deter waste, fraud, abuse, and mismanagement in PCAOB programs and operations; and recommend constructive actions that, when implemented, reduce or eliminate identified risks, and promote compliance with applicable laws, regulations, and PCAOB rules and policies.

IOPA's activities include, among others:

  • Providing ongoing quality assurance with regard to the design and operating effectiveness of PCAOB programs;
  • Conducting inquiries relating to PCAOB programs and operations; and
  • Receiving and reviewing allegations of wrongdoing lodged against PCAOB personnel as well as tips and complaints of potential waste, fraud, abuse, or mismanagement in PCAOB programs or operations.

In order to carry out its work, pursuant to the IOPA Charter, the Director and staff of IOPA must "be free, both in fact and appearance, from personal, external, and organizational impairments to independence." In order to promote such independence, unlike other PCAOB employees (who generally report to a single individual at the PCAOB), the Director reports directly to all five members of the PCAOB Board. Under the IOPA Charter, the "[e]valuation of the Director's performance and the setting of his/her compensation shall be based on the Director's management of the Office, effective execution of the Office's work, and shall not be based on the nature of the results from the Office's reviews, audits, and inquiries." In addition, IOPA's independence is promoted by the fact that the Director's term in office is limited to a single five-year term, and IOPA itself is subject to a regular external quality assurance review. IOPA also may report to the PCAOB's General Counsel, including the Ethics Officer, regarding its work, including the results of inquiries into tips, complaints, and/or allegations of professional or ethical misconduct. Finally, IOPA has guaranteed unrestricted access to all personnel and records, reports, audits, reviews, documents, papers, recommendations, or other materials of the PCAOB.

Should IOPA become aware of "particularly serious or flagrant problems, abuses, or deficiencies relating to the administration of PCAOB programs and operations and that warrant immediate Board attention,” IOPA must immediately report such information to the PCAOB Board, and such information also must be reported to the SEC within seven calendar days.

In order to conduct its work, IOPA follows accepted standards and requirements. These include the mandatory guidance of the Institute of Internal Auditors, such as the (i) International Standards for the Professional Practice of Internal Auditing, (ii) Core Principles for the Professional Practice of Internal Auditing, (iii) Definition of Internal Auditing, and (iv) Code of Ethics.

With respect to the DPA, IOPA has the ability to conduct a review of the PCAOB's compliance with relevant data protection safeguards:

  • On IOPA's own initiative, e.g. based on its assessment of risks to the PCAOB's programs and operations;
  • In response to tips, complaints, and/or allegations of professional or ethical misconduct;
  • or
  • Upon request of the PCAOB Board (e.g. to comply with the requirement under the DPA that the PCAOB ask for a review by IOPA upon a request).

In order to conduct such a review, as noted above, IOPA has unrestricted access to all PCAOB documentation relating to the relevant PCAOB activities.

In conducting its review, IOPA will follow its standard auditing process, in accordance with the Institute of Internal Auditors' International Standards, consisting of the following phases.

Planning

Determine the audit objectives and appropriate audit criteria. (Audit criteria would be based on the safeguard provisions described in the data protection agreement.) Also, preliminarily assess risk to accomplishing management's objectives and identify controls in place to mitigate the risks. Determine appropriate audit scope relative to the processes and control procedures to be reviewed and tested. Design substantive compliance tests to be performed to assess the design and operating effectiveness of the stated data protection safeguards.

Execution

Following the documented audit program, perform the test work. Test work will generally consist of review of policies and procedures and information system process flow descriptions; interviews with process and control owners; walkthroughs/demonstrations of safeguards and related controls; auditor re-performance of certain safeguards/controls; auditor testing of safeguards/controls based on representative sample selections and review of supporting documentation evidencing control design and operation.

Quality Review

IOPA management will supervise on-going work, and review and approve work product generated by the staff. IOPA management will determine the propriety of any audit issues raised and the adequacy of supporting evidence.

Reporting

IOPA will draft a report disclosing the results of its review. Recommendations will be made to ameliorate the noted issues. The report will include PCAOB staff's written response, indicating concurrence with the noted audit observations, corrective actions taken or planned, and target dates for completion. Reports will be reviewed by the PCAOB Governing Board and will be provided to the PCAOB's counterpart to the DPA after the PCAOB's Governing Board approves the nonpublic disclosure of the report to that counterpart. Board approval addresses only the nonpublic disclosure of IOPA's findings, as required by the PCAOB's Ethics Code, and does not include Board involvement in determining the content of IOPA's report, including the results of the review.

Follow-Up

At the appropriate time, IOPA will follow-up on PCAOB staff's corrective actions to verify that they have been satisfactorily completed.

  1. https://media.frc.org.uk/documents/Statement_of_Protocol_between_the_FRC_and_the_PCAOB.pdf; and https://assets.pcaobus.org/pcaob-dev/docs/default-source/international/documents/cooperative_agreement_uk.pdf?sfvrsn=d3df18fc_0 

  2. These rights arise from the UK GDPR (See UK GDPR Chapter III). 

  3. Entities with whom the PCAOB is permitted by U.S. law to onward share confidential information are described in Annex II. 

  4. The term 'Federal functional regulator' in (B)(ii)(II) above is defined in 15 U.S.C. § 6809 to include: - the Board of Governors of the Federal Reserve System, - the Office of the Comptroller of the Currency, - the Board of Directors of the Federal Deposit Insurance Corporation, - the Director of the Office of Thrift Supervision, - the National Credit Union Administration Board, and - the Securities and Exchange Commission. Other than the SEC, these are the various regulators of financial institutions in the United States. 

  5. The term 'State regulatory authorities' under PCAOB Rule 1001(a)(xi) means "the State agency or other authority responsible for the licensure or other regulation of the practice of accounting in the State or States having jurisdiction over a registered public accounting firm or associated persons thereof...." These would largely be the State Boards of Accountancy in the U.S. 

  6. Because the PCAOB has not, to date, employed more than one Hearing Officer, the PCAOB contracted with another regulatory body to obtain access to their hearing officers. When additional hearing officers were needed, their hearing officers have acted as independent consultants/contractors of the PCAOB and presided over certain disciplinary proceedings. The second level of redress would be conducted by one of these hearing officers, or under a similar arrangement. 

  7. DPA Sec. 9 states that, upon request from the PCAOB's counterpart to the DPA to conduct an independent review of the compliance with the safeguards in the DPA, the PCAOB will notify IOPA to perform a review to ascertain and confirm that the safeguards in the DPA are being effectively implemented. 

  8. See IOPA Charter. 

File

Name Agreement between FRC and PCAOB on the Transfer of Certain Personal Data
Publication date 27 September 2023
Format PDF, 841.1 KB
Download original
Back to top