I remember studying Communism in a history class some decades ago and learning that one of the basic principles under that system held that property is never personally owned, just “administered” to benefit the people at large. Perhaps this explains the daily reports about Chinese hackers worming their way through private databanks inside western businesses and governments. Oddly, this concept seemed to operate in reverse when applied to a privacy argument that has rumbled on for years in China and on which we learned of a development last week.
On May 24th it emerged that the Public Company Accounting Oversight Board (PCAOB) had finally agreed with Chinese authorities some rights to access the audit work of Chinese Firms checking the books of companies listed on US capital markets. Often the companies concerned are Chinese subsidiaries of US multinationals. Not unreasonably, the US Securities and Exchange Commission figures that if you are going to access our capital markets, we need to know that you have a capable auditor whose reports our investors can rely on. Until now, China had considered any such review would violate its privacy laws. Auditors were caught in the crossfire created by this standoff between the US regulator and local Chinese law. The Chinese position seemed to argue that data within audit work papers really are private assets that should be protected from prying eyes lest business secrets leak out.
China is not alone in restricting access to data and this can become problematic for auditors of all stripes, not just those regulated by the PCAOB. Privacy laws around the world, and especially in Europe, are making it increasingly difficult for auditors inside large global organizations to do their jobs properly. One of the most famous, and perhaps egregious cases involving an auditor accessing data broke at German national railways operator Deutsche Bahn in 2009. Auditors claimed to be accessing personal records, including e-mails in their fight to detect corrupt payments and this led to claims that employee protection and privacy laws had been broken. In the ensuing furor over ‘Corporate Spying’ both the head of Deutsche Bahn and the Internal Auditor lost their jobs.
In my own experience, I have occasionally run into claims that some privacy law restricted the auditor from accessing records and this is an issue not to be taken lightly. In some cases, it has been suggested that data is not available to the auditor at all but more often there is some other restriction such as that it cannot be transported outside of the country in which it is stored or that is cannot be viewed by a non-national. Since it is impossible today for a good auditor to do his or her work without deploying technology to sift through databases of transactions to identify outliers or to analyse populations for at-risk transactions, this poses some practical problems. Companies and their Boards want to enhance controls and deter fraud by deploying smart auditing techniques to get at data. At the same time, no-one wants a front-page splash accusing management of ‘snooping’ on their people.
Thus far, we have been relying on our codes of professionalism to deal with this issue. One of only four principles of the Code of Ethics laid down by the Institute of Internal Auditors deals with confidentiality, demonstrating how critical this is for the profession. And yet the push back that comes on the basis of privacy laws suggest that perhaps this duty of confidentiality may not be widely acknowledged. There are two ways to fix this. First, each Chief Audit Executive (CAE) can include in the Board-issued Charter clear language that describes on the one hand the CAE’s duty of confidentiality and on the other hand a no-nonsense statement that all records are to be made available. This will deal with the frivolous or misguided efforts to restrict access. But to tackle the issue at source there is a need to engage directly with regulators to ensure that privacy laws themselves make explicit allowance for properly-constituted auditors acting in their professional capacity. This should apply to independent accountants and also to qualified and credentialed internal auditors following the Code of Ethics.
In the end, it seems the authorities may be beginning to concede that there is a shared interest in determining whether audit work is carried out competently, as this can only raise standards enabling investors to distinguish better between higher and lower risks. As more Chinese wealth is created that will seek investment opportunities, perhaps this is a good place to start.