COMMISSION IMPLEMENTING DECISION
of 22.7.2022
on the adequacy of the competent authorities of the United States of America pursuant to Directive 2006/43/EC of the European Parliament and of the Council
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC 1 , and in particular Article 47(3), first subparagraph, thereof,
Whereas:
(1)By Commission Implementing Decision 2016/1156/EU 2 , the Commission considered that the competent authorities of the United States of America, namely the Public Company Accounting Oversight Board and the Securities and Exchange Commission, meet requirements that are adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC. That Implementing Decision will cease to apply on 31 July 2022. Therefore, it is necessary to determine whether the competent authorities of the United States continue to meet requirements that are adequate for the transfer to them of audit working papers or other documents held by statutory auditors or audit firms and inspection or investigation reports.
(2)When inspections or investigations are carried out, statutory auditors and audit firms should not be allowed to grant access to or to transmit their audit working papers or other documents to the competent authorities of the United States under any other conditions than those set out in Article 47 of Directive 2006/43/EC.
(3)Member States are to ensure that the working arrangements required by Article 47(1), point (d), of Directive 2006/43/EC to transfer audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports between their competent authorities and the competent authorities of the United States are agreed on the basis of reciprocity and include protection of any professional secrets and sensitive commercial information contained in such papers relating to the entities audited, including their industrial and intellectual property, or to the statutory auditors and audit firms that audited those entities.
(4)Where a transfer of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports to the competent authorities of the United States involves the transfer of personal data, such a transfer is lawful only if it also complies with the requirements for international data transfers laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council 3 . Article 47(1), point (e), of Directive 2006/43/EC therefore requires Member States to ensure that the transfer of personal data between their competent authorities and the competent authorities of the United States complies with any applicable data protection principles and rules and, in particular, with the provisions of Chapter V of Regulation (EU) 2016/679. Member States should ensure that appropriate safeguards for the transfer of personal data are provided for, in accordance with Article 46 of that Regulation. In addition, Member States should ensure that the competent authorities of United States will not further disclose personal data contained in the documents transferred without the prior agreement of the competent authorities of the Member States concerned.
(5)Member States may accept that inspections by their competent authorities are carried out jointly with the competent authorities of the United States where this is necessary to ensure effective supervision. Member States may allow that cooperation with the competent authorities of the United States takes place under the form of joint inspections or through observers without inspection or investigation powers and without access to the confidential audit working papers, to other documents held by statutory auditors or audit firms, or to inspection or investigation reports. It is necessary that such cooperation always takes place under the conditions set out in Article 47(2) of Directive 2006/43/EC, in particular as regards the need to respect sovereignty, confidentiality and reciprocity. Any joint inspections carried out in the Union by their competent authorities and the competent authorities of the United States under Article 47 of Directive 2006/43/EC will be under the leadership of the competent authority of the Member State concerned.
(6)Pursuant to the Sarbanes-Oxley Act of 2002 4 , in the United States of America, the Public Company Accounting Oversight Board has competence in the public oversight, external quality assurance, investigation and sanctions of auditors and audit firms. The Public Company Accounting Oversight Board implements adequate safeguards prohibiting and sanctioning disclosure by its current and former employees of confidential information to any third person or authority. Under the laws and regulations of the United States, the Public Company Accounting Oversight Board may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Public Company Accounting Oversight Board continues to meet requirements which should be declared adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC.
(7)Pursuant to the Sarbanes-Oxley Act of 2002, in the United States of America, the Securities and Exchange Commission has oversight and enforcement authority over the Public Company Accounting Oversight Board. The Securities and Exchange Commission has competence in investigating auditors and audit firms; this Decision should therefore only cover the competences of the Securities and Exchange Commission of the United States to investigate auditors and audit firms. The Securities and Exchange Commission implements adequate safeguards prohibiting and sanctioning disclosure by its current and former employees of confidential information to any third person or authority. Under the laws and regulations of the United States, the Securities and Exchange Commission may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC, which relate to investigations it may perform on such auditors and audit firms. On that basis, the Securities and Exchange Commission continues to meet requirements which should be declared adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC.
(8)The Committee of European Auditing Oversight Bodies has reassessed the legal framework in the United States, based on the Sarbanes-Oxley Act, which has not fundamentally changed since the adoption of Implementing Decision (EU) 2016/1156. Taking into account the technical assessment of the Committee of European Audit Oversight Bodies referred to in Article 30(7), point (c), of Regulation (EU) No 537/2014 of the European Parliament and of the Council 5 , the Securities and Exchange Commission and the Public Company Accounting Oversight Board continue to meet requirements that should be declared adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC.
(9)This Decision should not affect the cooperation arrangements referred to in Article 25(4) of Directive 2004/109/EC of the European Parliament and of the Council 6 .
(10)Any conclusion on the adequacy of the requirements met by the competent authorities of a third country pursuant to Article 47(3), first subparagraph, of Directive 2006/43/EC does not pre-empt any decision that the Commission may adopt on the equivalence of the public oversight, quality assurance, investigation and penalty systems for auditors and audit entities of that third country pursuant to Article 46(2) of that Directive.
(11)Several Member States’ competent authorities have working arrangements with the Public Company Accounting Oversight Board, as referred to in Article 47(1) of Directive 2006/43/EC. In most cases, there is also a Data Protection Agreement under Regulation (EU) 2016/679 or under national law based on Directive 95/46/EC of the European Parliament and of the Council 7 , which was repealed by that Regulation.