Audit, Compliance and Risk Blog

PCAOB Becomes Latest Regulator to Encourage Self-Policing

Posted by Jon Elliott on Tue, May 21, 2013

The latest regulator to establish a formal policy offering companies incentives to self-police is the Public Company Accounting Oversight Board (PCAOB), which regulates the accountants that audit the books for public companies and broker-dealers and help prepare their periodic reports.  On April 24, PCAOB issued its “Policy Statement on Extraordinary Cooperation in Connection with Board Investigations.”  This Policy Statement formalizes guidance to auditors, explaining how PCAOB’s inspection and enforcement personnel view regulated entities’ willingness to go beyond mere compliance, by taking steps such as:

  • Enhanced internal compliance and monitoring programs, to more effectively prevent non-compliance and to identify noncompliance that does occur.

  • Enhanced cooperation during agency inspections and investigations, to expedite discovery and correction of noncompliance.

What Cooperation is “Extraordinary”?

PCAOB is at pains to emphasize that auditors and public companies are supposed to cooperate with PCAOB—and with the Securities and Exchange Commission (SEC), which regulates public companies and oversees PCAOB’s activities—so self-inspections, formal audits, and truthful reports to regulators and the public all constitute ordinary cooperation.  For example, if an auditor believes it has discovered illegal activities at a company, Section 10A of the Securities Exchange Act of 1934 requires it to report to company management, and requires the company to respond.  In contrast, then, PCAOB offers the following guidance:

Extraordinary cooperation is voluntary and timely action—beyond compliance with legal or regulatory obligations—that contributes to the mission of the Board. ...

Self-Reporting relates to conduct upon learning of violations. A firm or associated person may earn credit for self-reporting by making voluntary, timely and full disclosure of the facts relating to violations before the conduct comes to the attention of the Board or another regulator. ...

Remedial or Corrective Actions are voluntary, timely and meaningful actions designed to reduce the likelihood and risk that similar violations will recur, as well as actions to correct violative conduct. ...

Substantial Assistance to the Board’s investigative processes or to other law enforcement authorities includes timely and voluntarily providing information or documents that might not have been discovered absent that cooperation, or beyond that sought by the Board’s staff via accounting board demands and requests, and beyond what is required pursuant to legal and regulatory reporting requirements. …”

PCAOB’s guidance about these three broad types of cooperation is fairly general, and the agency explicitly preserves its discretion to interpret each situation separately.

Comparable incentive programs from other regulatory and enforcement agencies provide similar lists of favored (and disfavored) actions.  For example, in 2001 SEC published an enforcement order relieving a parent company of all liability for the errant controller of one of its subsidiaries, and took the opportunity to list 13 mitigating and exacerbating actions (SEC, “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions” (10/23/01)).  Similarly, the U.S. Sentencing Commission offers penalty reductions to an organization convicted of criminal violation of federal laws, if it has an “effective compliance and ethics program.” (US Sentencing Guidelines, sec. 8B2.1).

How Can an Organization Position Itself to be Extraordinarily Cooperative?

The best way to be ready to find and report non-compliance is to build a robust and proactive compliance program.  And even better, such a program reduces the likelihood that the organization will violate applicable requirements in the first place, obviating the need to cooperate in an enforcement matter. Although PCAOB’s Policy Statement doesn’t provide any useful guidance, SEC oversees national securities exchanges’ listing requirements that each public company have a Code of Ethics (29 CFR secs. 229.406, 274.128), including “written standards that are reasonably designed to deter wrongdoing and to promote” the following:

  • Honest and ethical conduct, including ethical handling of actual or apparent conflicts of interest.

  • Full, fair, accurate, timely, and understandable disclosure in formal reporting and other communications to SEC and the public.

  • Compliance with applicable laws, regulations, and rules.

  • Prompt internal reporting of violations of the code.

  • Accountability for adherence to the code.

The U.S. Sentencing Commission’s guidelines offer similar information.  The following Implementation Checklist offers questions drawn from such guidelines, to help the organization immunize itself against violations and prepare to cooperate should violations occur.

Implementation Checklist

  • Has the organization established a compliance and/or ethics program to prevent and detect violations of applicable laws? 

    • Do formal organizational policies define standards and procedures for agents and employees?
    • Are specific high-level personnel assigned responsibility and authority to ensure these standards and procedures are followed?
    • Does the organization provide training and/or other means to communicate standards and procedures effectively to its agents and employees?
    • Is there an effective program for enforcing these standards (e.g., monitoring and audits)?
    • Are there internal reporting mechanisms (including protections against possible retaliation)?
    • Does the program include clear and effective disciplinary mechanisms?
    • Does the program provide for immediate and appropriate steps to correct the condition giving rise to any detected offense or violation (e.g., program changes and individual disciplinary actions)?
    • Does the program include provisions for self-reporting to appropriate authorities?
  • Does the organization have formal policies to cooperate fully with inspectors and auditors from regulatory and enforcement agencies? 

    • If so, are responsible individuals assigned as points of contact, for organization staff and for agency personnel (this will strengthen reporting mechanisms, while also creating an opportunity for responsible personnel to manage disclosures)?
  • Does the organization implement these measures effectively?

    •  Are training, audits, and monitoring actually provided, and documents?
    •  Has the organization ever detected a violation?
    •  Has an agency inspector ever detected a violation?
    •  What was the organization's actual response to detected violation(s)?

 Where Can I Go For More Information?

About the Author Elliott is President of Touchstone Environmental and has been a major contributor to STP’s product range for over 25 years. He was involved in developing 16 existing products,including Workplace Violence Prevention: A Practical Guide to Security on the JobSecurities Law and Directors' and Officers' Liability.

Mr. Elliott has a diverse educational background. In addition to his Juris Doctor (University of California, Boalt Hall School of Law, 1981), he holds a Master of Public Policy (Goldman School of Public Policy [GSPP], UC Berkeley, 1980), and a Bachelor of Science in Mechanical Engineering (Princeton University, 1977).

Mr. Elliott is active in professional and community organizations. In addition, he is a past chairman of the Board of Directors of the GSPP Alumni Association, and past member of the Executive Committee of the State Bar of California's Environmental Law Section (including past chair of its Legislative Committee).

You may contact Mr. Elliott directly at:

Tags: Business & Legal, SEC, Accounting & Tax, Accountants