//
you're reading...
Uncategorized

When privacy and auditing collide

I remember studying Communism in a history class some decades ago and learning that one of the basic principles under that system held that property is never personally owned, just “administered” to benefit the people at large. Perhaps this explains the daily reports about Chinese hackers worming their way through private databanks inside western businesses and governments. Oddly, this concept seemed to operate in reverse when applied to a privacy argument that has rumbled on for years in China and on which we learned of a development last week.

On May 24th it emerged that the Public Company Accounting Oversight Board (PCAOB) had finally agreed with Chinese authorities some rights to access the audit work of Chinese Firms checking the books of companies listed on US capital markets. Often the companies concerned are Chinese subsidiaries of US multinationals. Not unreasonably, the US Securities and Exchange Commission figures that if you are going to access our capital markets, we need to know that you have a capable auditor whose reports our investors can rely on. Until now, China had considered any such review would violate its privacy laws.  Auditors were caught in the crossfire created by this standoff between the US regulator and local Chinese law. The Chinese position seemed to argue that data within audit work papers really are private assets that should be protected from prying eyes lest business secrets leak out.

China is not alone in restricting access to data and this can become problematic for auditors of all stripes, not just those regulated by the PCAOB.  Privacy laws around the world, and especially in Europe, are making it increasingly difficult for auditors inside large global organizations to do their jobs properly. One of the most famous, and perhaps egregious cases involving an auditor accessing data broke at German national railways operator Deutsche Bahn in 2009.  Auditors claimed to be accessing personal records, including e-mails in their fight to detect corrupt payments and this led to claims that employee protection and privacy laws had been broken.  In the ensuing furor over ‘Corporate Spying’ both the head of Deutsche Bahn and the Internal Auditor lost their jobs.

In my own experience, I have occasionally run into claims that some privacy law restricted the auditor from accessing records and this is an issue not to be taken lightly. In some cases, it has been suggested that data is not available to the auditor at all but more often there is some other restriction such as that it cannot be transported outside of the country in which it is stored or that is cannot be viewed by a non-national. Since it is impossible today for a good auditor to do his or her work without deploying technology to sift through databases of transactions to identify outliers or to analyse populations for at-risk transactions, this poses some practical problems.  Companies and their Boards want to enhance controls and deter fraud by deploying smart auditing techniques to get at data.  At the same time, no-one wants a front-page splash accusing management of ‘snooping’ on their people.

Thus far, we have been relying on our codes of professionalism to deal with this issue. One of only four principles of the Code of Ethics laid down by the Institute of Internal Auditors deals with confidentiality, demonstrating how critical this is for the profession. And yet the push back that comes on the basis of privacy laws suggest that perhaps this duty of confidentiality may not be widely acknowledged. There are two ways to fix this. First, each Chief Audit Executive (CAE) can include in the Board-issued Charter clear language that describes on the one hand the CAE’s duty of confidentiality and on the other hand a no-nonsense statement that all records are to be made available. This will deal with the frivolous or misguided efforts to restrict access. But to tackle the issue at source there is a need to engage directly with regulators to ensure that privacy laws themselves make explicit allowance for properly-constituted auditors acting in their professional capacity. This should apply to independent accountants and also to qualified and credentialed internal auditors following the Code of Ethics.

In the end, it seems the authorities may be beginning to concede that there is a shared interest in determining whether audit work is carried out competently, as this can only raise standards enabling investors to distinguish better between higher and lower risks. As more Chinese wealth is created that will seek investment opportunities, perhaps this is a good place to start.

About anthonyoreilly

I believe that organizations fail to get adequate assurance from their auditors and can both reduce cost while improving quality. As the Head of Professional Practices at Siemens, AG I played a leadership role in a major Corporate re-construction of a global audit function, from inside the engine room. After 10 years as a Partner in a Big Four firm, I was attracted by the opportunity of a turnaround challenge in one of the world's leading industrial companies. I moved my family to Germany and spent 4 years re-building this 450-person global audit organization back to health following a spectacular failure. I am attracted by challenge, cultural diversity and companies who are willing to put effort into it and get to the next level. I am not dismayed by resistance to change and seek to work with companies willing to invest in skilled people who want to advance their own careers while bringing the organization to new heights and reducing the total cost of operations. All of these things were accomplished in my time at Siemens. Prior to the role at Siemens, AG, I was a Partner at PricewaterhouseCoopers LLP, where I learned all I knew from the many challenging and professional clients I worked with. I am a published author and sought after speaker on Audit and Governance practices.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 51 other followers

%d bloggers like this: