The Sarbanes Oxley Privilege For Public Company Accounting Oversight Board Materials: Its Implications For SEC Enforcement Proceedings

Download PDF

Andrew J. Morris*

I.         Introduction

In 2002, a wave of high-profile accounting scandals led Congress to pass the Sarbanes-Oxley Act—“SOX.”[1] In SOX, Congress created the Public Company Accounting Oversight Board—the “PCAOB”—and charged it to oversee the auditors of public companies.[2] The PCAOB soon began inspecting accounting firms. According to knowledgeable commentators, these inspections have significantly improved the audits of public-company financial statements.[3]

Recent developments, however, threaten to undermine one of the critical foundations of the PCAOB oversight program: the “SOX privilege.” This statutory privilege ensures that the details of PCAOB inspections and investigations remain confidential.[4] The threat to this privilege arises when the PCAOB shares information with other regulators, including the Securities and Exchange Commission (“SEC” or the “Commission”). SOX permits this sharing, but only on the express condition that the receiving regulator must preserve the SOX privilege.[5] SOX makes this condition quite plain, stating that regulators who accept privileged information from the PCAOB “shall maintain such information as confidential and privileged.”[6]

The problem is that some private litigants, some SEC staff, and at least one court do not read this simple mandate to mean what it says. They find it counterintuitive—and therefore hard to accept—that a statute would restrict the SEC’s use of information it obtains from the PCAOB. This resistance to the statutory language is apparent in Securities & Exchange Commission v. Goldstone, 301 F.R.D. 593 (D.N.M. 2014), the first judicial opinion on the issue. In Goldstone, the United States District Court for the District of New Mexico concluded that when the SEC brings enforcement actions, it can disclose privileged information received from the PCAOB.[7]

This article explains how Goldstone misreads SOX. Part I briefly outlines why the privilege is critical to the success of the PCAOB’s inspection regime, and Part II sketches its statutory basis. Part III explains how Goldstone undermines the SOX privilege and, in turn, threatens to weaken the entire PCAOB oversight regime. Part III then shows that Goldstone creates practical problems for the PCAOB, for the auditing profession it oversees, and paradoxically, for the SEC itself. Finally, Part IV suggests that, in order to resolve these issues, the SEC should adopt a formal policy relating to PCAOB materials that acknowledges the full force of the SOX privilege and establishes internal procedures for working with materials covered by the privilege.

II.         The SOX Privilege Provides Confidentiality That Is Critical to the PCAOB’s Successful Inspection Regime

A.          The Effectiveness of the PCAOB’s Predecessor Was Hampered by the Absence of a Privilege Protecting Its Inspections

During the hearings that led Congress to pass SOX, several prominent witnesses criticized the audit regulator at the time (the predecessor to the PCAOB) as “ineffective.”[8] One reason for this ineffectiveness, according to the regulator itself, was its inability to shield its oversight process from private litigants who wanted information for lawsuits against accounting firms.[9]

The SEC, after conducting its own study of audit regulation, also concluded that confidentiality was important to effective oversight. It wrote at the time that auditing firms “may be less forthcoming in responding to [an auditing regulator] inquiry if they believe that the information they provide will be made public or made available to private litigants.”[10] It also warned that a failure to ensure confidentiality could harm audit quality, injure accounting firms unfairly, and harm the shareholders of the companies involved.[11]

B.          The Privilege Created by SOX Enables the PCAOB to Conduct Inspections That Are Effective Because They Are Cooperative Rather Than Adversarial

Congress provided this confidentiality when it passed SOX and established an improved oversight regime. The cornerstone of this regime is the PCAOB’s inspection program,[12] which examines accounting firms responsible for auditing 98 percent of U.S. market capitalization.[13] This program relies on a process that is cooperative rather than adversarial, and the SOX privilege is critical to maintaining a cooperative, frank exchange of information between the regulator, and the regulated.

Each inspection involves extensive dialog between the PCAOB and the inspected firm.[14] In a typical inspection, the PCAOB inspectors select a sample of the firm’s audit engagements, review audit workpapers and other materials, talk to auditors and other firm representatives, and then provide criticisms and suggestions.[15] The inspectors and the firm then exchange oral and written comments, typically in several informal rounds.[16] Often the firm agrees to make auditing changes proposed by the inspectors.[17] Ultimately the PCAOB issues a final inspection report, which the firm can ask the SEC to review.[18]

Congress specifically chose this interactive and constructive process.[19] As the PCAOB has explained, SOX “reflects a legislative policy choice favoring the correction of quality control problems over the exposure of them.”[20] For this reason, it “generally seeks, in its inspection program, to encourage constructive engagement, rather than to put firms in a position where they will perceive that their self-interest is better served by an adversarial and confrontational posture.”[21]

Accounting firms can safely participate in this “constructive engagement” only if they know that their compromises with the PCAOB will remain confidential and, therefore, will not be cited against them as evidence that audit work was inadequate.[22] The SOX privilege provides the necessary confidentiality by shielding PCAOB inspection and enforcement details from disclosure to third parties (with a narrow exception that is described below).[23]

The privilege thus gives auditors an incentive to accept the PCAOB’s comments and adjust audit procedures to address them. Because the SOX privilege permits auditors to agree with PCAOB inspectors without fear of incurring liability, it is a linchpin of the cooperative regulatory scheme.

According to the PCAOB, this guarantee of confidentiality has contributed to the effectiveness of the inspection program.[24] By 2007, the PCAOB reported that it was increasingly able to “foster improvement in audit quality through the on-site dialogue the inspection process allows for, in addition to more formal findings in inspection reports and other oversight actions.”[25] The PCAOB also reported that firms have routinely agreed to “perform[] missed or additional auditing procedures” on specific audits, and to make changes “to the firm’s internal quality control processes and systems.”[26] It concluded that “the effectiveness and the efficiency of the Board’s programs are enhanced when firms opt for constructive engagement rather than an adversarial approach.”[27]

III.        SOX Expressly Requires the SEC to Preserve the Privilege When It Receives Privileged Material from the PCAOB

A.          Subparagraph (A) Of Section 105(b)(5) Establishes The SOX Privilege

Congress established the SOX privilege in SOX Section 105(b)(5).[28] Subparagraph 105(b)(5)(A), titled “Confidentiality,” sets out the privilege’s basic elements.[29] Subparagraph (A) begins with a carve-out (“Except as provided in subparagraphs (B) and (C) . . . .”),[30] which excludes material that the PCAOB passes along to other regulators. This material is governed by Subparagraphs (B) and (C), which are discussed in Part II.B below. [31]

Subparagraph (A) then identifies the broad range of material it does govern: “all documents and information prepared or received by or specifically for the Board, and deliberations of the Board and its employees and agents, in connection with an inspection . . . or with an investigation.”[32]

The subparagraph next describes the protection provided by the privilege: The SOX privilege shields the governed material from “civil discovery or other legal process” and from introduction into evidence.[33] It then identifies the broad range of forums where the privilege applies: “any proceeding in any Federal or State court or administrative agency.”[34]

Finally, Subparagraph (A) says how the privilege can be terminated.[35] It states that information remains privileged “unless and until presented in connection with a public proceeding or released in accordance with [SOX Section 105(c)].”[36] That subsection, titled “Disciplinary procedures,” addresses disciplinary PCAOB proceedings against auditors.[37]

B.          Subparagraph (B) Permits the PCAOB to Share Privileged Information with Other Regulators—But Only on the Express Condition That Those Regulators Preserve the Privilege

Next in SOX Section 105(b)(5), subparagraphs (B) and (C) govern the material carved out of subparagraph (A). They permit the PCAOB to share information with regulators in the United States (Subparagraph (B)) and elsewhere (Subparagraph (C)).[38]

Subparagraph (B), titled “Availability to Government agencies,” authorizes the PCAOB to share privileged material with “(i) [T]he Commission; [and] (ii) [other enumerated regulators, including] the Attorney General of the United States[,] State attorneys general, . . . state regulatory authorit[ies]; and [certain] self-regulatory organization[s] . . . .”[39] Crucially, however, it requires that those entities “maintain such information as confidential and privileged.[40] This is the provision that binds the SEC to preserve the privilege for material it receives from the PCAOB.

IV.         The Court in SEC v. Goldstone Erred When It Held that the SEC Can Disclose Privileged Material Received from the PCAOB

In sum, SOX Section 105 permits the PCAOB to share privileged material with other regulators, but only on the condition that those regulators “maintain such information as confidential and privileged.”[41] The statutory language and structure are simple. Yet the one judicial opinion on the issue, SEC v. Goldstone, declines to enforce the statute as written.

A.          The Court Overrode SOX’s Plain Language to Create an Exception to the Mandate that the SEC “Shall Maintain” the Privilege

1.          The Goldstone Court’s Reading of the Statute

Goldstone was an SEC enforcement action against several officers of a registrant.[42] During the litigation’s discovery phase, the officers demanded that the SEC produce documents it had previously received from the PCAOB.[43] The PCAOB had generated these documents when it had investigated the registrant’s auditor.[44] Then, under the authority granted to it under Subparagraph (B) of SOX Section 105(b)(5), the PCAOB had transmitted the documents to the SEC during the SEC’s investigation of the registrant’s management.[45] When these documents were created, they were covered by the SOX privilege—a point not disputed by any party in Goldstone.[46]

The Goldstone defendants moved to compel the SEC to produce this material, arguing that it no longer was privileged.[47] They contended that the SEC had relied on the material when it drafted its complaint;[48] the defendants then pointed to the clause at the end of SOX Section 105(b)(5)(A) providing that the privilege is terminated if material is “presented in connection with a public proceeding.”[49] The defendants argued that the SEC had “presented” the material “in connection with a public proceeding” by relying on it to draft the complaint in the enforcement case. [50] The SEC opposed the defendants’ motion, in particular contending that it had not relied on the documents when it drafted the complaint in this case.[51]

The registrant’s auditor intervened in the litigation.[52] Like the SEC, the accounting firm opposed the defendants’ motion to compel.[53] But unlike the SEC,[54] the firm disputed the very first step in the defendants’ argument: The firm contended that SOX prohibited the SEC from disclosing the PCAOB documents whether or not the SEC had relied on them to draft the complaint.[55] In support, the firm cited Subparagraph (B)’s mandate that the SEC “shall maintain” SOX-privileged “information as confidential and privileged.”[56] It also pointed out that this mandate contains no exceptions.[57]

The court disagreed with the accounting firm and concluded that, despite this mandate, the SEC had the authority to disclose the material.[58] The court ultimately did not order the SEC to produce the documents, though only because it found that, as a factual matter, the SEC had not actually relied on them in the litigation.[59] But the damage to the SOX privilege was done, because the court had already concluded that the SEC has the authority to terminate the privilege.[60]

To reach this conclusion, the court first turned to the SOX clause stating that covered information remains privileged “unless and until presented in connection with a public proceeding or released in accordance with subsection (c).”[61] This clause is contained in Subparagraph (A), not Subparagraph (B), and is the only clause in the statute that addresses termination of the privilege. The court construed the word “proceeding” to refer, not only to PCAOB disciplinary proceedings, but also to SEC litigation. In other words, the court reasoned, this clause indicated that the SEC has the authority to terminate the SOX privilege by “presenting” privileged material in its own litigation.[62]

The court’s reading of this Subparagraph (A) clause to include SEC litigation was clear error, as explained below. But even in light of its reading of Subparagraph (A), the court still was confronted with Subparagraph (B)’s explicit mandate that the SEC “shall maintain” the privilege.[63] This mandate contains no written exceptions.[64]

The court proceeded to infer an exception that is unwritten. The court reasoned that it makes no sense to permit the SEC to receive privileged information from the PCAOB—as the first part of Subparagraph (B) permits—while also requiring the SEC to keep that information confidential—as the latter part of Subparagraph (B) requires.[65] The court explained its reasoning: “If the Attorney General or the SEC could never bring an action and present the information, there would be no useful reason to share the information.”[66]

Although the court also reasoned that “the ‘until presented’ language [in Subparagraph (A)] would not mean anything” if the SEC were not permitted to “present” PCAOB information in SEC litigation, the court reiterated that the decisive factor was the Subparagraph (B) provision permitting the PCAOB to share information with the SEC.[67] The court thus summed up: “The Court is not sure what benefit it would be for the PCAOB to share documents and information from its investigations or inspections,” as Subparagraph (B) permits, “if the SEC or other government agencies may not then use the information.”[68]

2.          Flaws in the Court’s Reasoning

The court’s discussion makes a hash of the statute. To begin, Subparagraph (A)’s “unless and until presented” clause does not apply to material that the PCAOB discloses to the SEC. That material is covered by Subparagraph (B), and Subparagraph (A) begins with the simple carve-out clause, “Except as provided in Subparagraph[] (B).” The court thus erred by even considering the “unless and until presented” clause.[69]

In any event, although the court cited this clause, the decisive factor for the court was Subparagraph (B)’s provision permitting the PCAOB to share privileged information with the SEC.[70] Based on the court’s view of the purpose of this sharing provision, the court overrode the plain text of the privilege requirement contained later in the same subparagraph—in fact, later in the same sentence. It did so based on its belief that a more sensible statute would permit the SEC to use PCAOB information in its own litigation. The court apparently concluded that, if Congress had thought about it, Congress would have created an exception permitting the SEC to use this information in enforcement matters.

This reasoning has no basis in the statute’s words or structure; it overrides both in pursuit of a better policy. And that pursuit rests on another error: the assumption that, unless the SEC can use PCAOB material in enforcement actions, it cannot use the material at all. But SOX does permit the SEC to use PCAOB materials for other purposes—purposes that are quite important. In particular, the SEC can use this information to inform its oversight of the PCAOB as well as to support its responsibility for rulemaking relating to financial-statement audits.[71] These uses do not require the Commission to break the SOX privilege. On the other hand, SOX itself shows that Congress was aware of the possible use for which the Goldstone court created an exception: litigation relating to the audits at issue.[72] Yet, Congress did not create an exception permitting use of PCAOB material in litigation outside the PCAOB.

Congress also knew that the SOX privilege does what every legal privilege does: It forbids the discovery and use of evidence that may be relevant in litigation.[73] Yet Congress chose to require regulators, specifically including the SEC, to preserve the SOX privilege.

The court’s reasoning suffers from one more flaw. Not only did the court override clear text based on a policy goal, it chose a policy goal that conflicts with the one that motivated the statute at issue. The court’s policy goal was to increase the SEC’s authority in enforcement cases, but the statute’s policy goal was to improve the oversight regime for financial-statement audits—and to do so by ensuring that PCAOB oversight activities remain confidential.[74] The Goldstone court’s conclusion works against that goal by opening a hole in the shield of confidentiality—thus working against Congress’s purpose in creating the SOX privilege in the first place.

B.          The Goldstone Holding Upsets the Information-Sharing Scheme Established by SOX and Works Against SOX’s Statutory Purpose

Applied to other cases, the Goldstone holding can lead to the disclosure of reams of PCAOB-related documents that, to date, have been shielded by the SOX privilege. When Subparagraphs (A) and (B) are read correctly—with no inferred exceptions—SOX-privileged information can be disclosed only by the PCAOB, and only in a specific, narrow context. This context is limited to final orders in PCAOB disciplinary actions that result in sanctions against an auditor or firm.[75] These orders disclose a limited amount of privileged information, because an order describes only the facts that are relevant to the final decision.[76] The PCAOB does not disclose any privileged documents at all.[77]

By contrast, the Goldstone reading of SOX permits the SEC to produce extensive amounts of privileged information. By producing PCAOB material in discovery, the SEC can disclose extensive documentary records otherwise covered by the SOX privilege: for example, entire histories of firm inspections, files of correspondence with auditors, and volumes of the extensive testimony that the PCAOB takes during its investigations. Once these documents are disclosed, they are available to any third party with access to a subpoena—indeed, once the documents have been disclosed, third parties could subpoena them directly from the SEC. Goldstone thus creates a glaring anomaly: It gives the SEC, and through it these unknown third parties, far broader authority to disclose PCAOB oversight materials than the statute gives the PCAOB itself.[78]

In sum, Goldstone re-creates the same problems that led SOX’s drafters to create the privilege in the first place, because it weakens the protection the privilege provides to accounting firms. This result works against Congress’ purpose in adopting the SOX privilege.[79]

C.         The Court’s Opinion Conflicts with the Stated Position of the PCAOB

Goldstone also presents the PCAOB itself with significant compliance and ethical issues, as well as complications in its relationship with the SEC. The PCAOB has stated that it reads SOX to prohibit agencies from disclosing privileged information that the PCAOB shares with them.[80] For this reason, the PCAOB already has warned that, if an agency did disclose privileged information, the PCAOB could exercise its discretion to decline to provide requested information or could “require appropriate assurances of confidentiality.”[81] Against this background, Goldstone puts the PCAOB in an uncomfortable bind.

V.         The SEC Should Adopt a Policy Stating That It Will Comply with Its Statutory Duty to Preserve the SOX Privilege

A.         The SEC Staff Has Taken Inconsistent Positions in Litigation

These problems are further complicated by the SEC’s own inconsistent positions on the SOX privilege. In Goldstone the SEC did not dispute that it has the authority to disclose material covered by the SOX privilege.[82] In another enforcement action, the Enforcement Division actually produced privileged information it had received from the PCAOB.[83] In yet another case, however, the SEC properly asserted that SOX Section 105(b)(5)(A) and (B) “expressly prohibit the Commission from turning [materials received from the PCAOB] over in discovery to anyone.”[84] This inconsistency creates various risks for the SEC. Among other problems, it could invite arguments that the Commission’s positions are arbitrary and capricious—arguments that conceivably could lead to reversal of a judgment in the SEC’s favor.[85]

B.         An Express SEC Policy Could Ensure Compliance with SOX and Restore Certainty to the Privilege Protection that Is Critical to the PCAOB’s Oversight Regime

Without waiting for the courts to correct Goldstone, the SEC can and should restore certainty to the SOX privilege by adopting a written policy that governs information it receives from the PCAOB. The policy should acknowledge the SEC’s statutory obligation to “maintain” covered information as “confidential and privileged.”[86] It should include a process through which senior staff evaluates the risks in each case before the SEC even requests privileged material from the PCAOB.

The policy also should include procedures to ensure that, once the SEC does take possession of privileged material, it can show that it did not waive the privilege. (Although the proper reading of SOX indicates that the SEC cannot waive the privilege, even inadvertently, litigating that point in multiple enforcement proceedings would be costly and wasteful.)[87] A policy should establish that SEC Staff will oppose any discovery demands for privileged material. The policy also should require the Staff to notify the PCAOB and the relevant accounting firm about any such demands.

Such a policy would not hinder the SEC’s enforcement efforts. Preserving the SOX privilege does not reduce access to the types of evidence the Enforcement Division routinely obtains in accounting cases, such as audit workpapers and auditor testimony.[88] And PCAOB-inspection materials have no real evidentiary value anyway; inspection reports are non-adjudicated statements that, as the PCAOB has warned, “are not intended to result in conclusive findings.”[89]

Nor would a policy preserving the SOX privilege cause any prejudice to the defense in SEC enforcement actions. Like the SEC, respondents would still have the rights to use the usual discovery tools.[90] And Section 105’s statement that privileged information is inadmissible as evidence protects respondents in administrative proceedings and defendants in civil litigation from use of this information against them.[91]

While such an SEC policy would not hinder either side in enforcement actions, its benefits would be substantial. It would ensure that SEC Staff take an informed, uniform position on the SOX privilege. It would give the Staff guidance about appropriate practices for working with PCAOB materials. And it could help avoid the substantial collateral litigation, as seen in Goldstone, that can flare up when the SEC possesses privileged information.

A written policy also would guide the proper development of the law. Most judges have no experience with the PCAOB, and they would give considerable weight to the view of the agency that exercise oversight over it.

An SEC policy also would guide other regulators to which the PCAOB may provide SOX-privileged information, including the Department of Justice, state attorneys general, and other regulatory bodies.[92] SOX Section 105(b)(5)(B) requires these regulators to preserve the privilege.[93] When these regulators analyze their privilege obligations under SOX, they are likely to give considerable weight to the views of the SEC, which is the agency with the most expertise on the issue.

Most importantly, by removing much of the uncertainty created by Goldstone and the SEC’s litigation positions, a policy would strengthen the PCAOB inspection system. It would assure the PCAOB that information it provides to the SEC will remain confidential. This assurance would, in turn, preserve the ability of auditing firms to cooperate fully and freely with the PCAOB without fear that their cooperation could be used against them. All of these developments would contribute to improved audit quality, which is the goal established by Congress and shared by the PCAOB and the SEC.[94]


Preferred citation: Andrew J. Morris, The Sarbanes Oxley Privilege For Public Company Accounting Oversight Board Materials: Its Implications For SEC Enforcement Proceedings, 5 Harv. Bus. L. Rev. Online 87 (2015),

* Andrew J. Morris is a partner in Morvillo LLP.

[1] Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002) (codified as amended in sections of 11, 15, 18, and 29 U.S.C.).

[2] See 15 U.S.C. § 7211(a) (2012) (“There is established the Public Company Accounting Oversight Board, to oversee the audit of companies that are subject to the securities laws, and related matters, in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports.”)

[3] In 2014, PCAOB Member Lewis Ferguson stated that, “I think those of us in this business do have a sense that audit quality is improving.” Ken Tysiac, Regulators Suggest Firms Take Deep Dive Into Audit Quality, Journal of Accountancy (Apr. 10, 2014), In 2012, PCAOB Member Jeanette M. Franzel stated that, “[w]e’ve had many stakeholders and members of the profession tell us that they believe that auditor independence and audit quality have been strengthened since the passage of the Sarbanes-Oxley Act, and we also believe that audit quality has improved.” Jeanette M. Franzel, Member, PCAOB, Keynote Address at the American Law Institute Continuing Legal Education Conference: PCAOB: Protecting Investors and the Public Interest (Sep. 13, 2012) (transcript available at In the same vein, a recent SEC Commissioner put it, “[t]hanks to the PCAOB’s work we have seen huge improvements in audit quality, investor confidence, and overall corporate governance.” Roel C. Campos, Comm’r, SEC, Remarks Before the SEC Open Meeting on the 2007 PCAOB Budget (Dec. 4, 2006) (transcript available at

[4] 15 U.S.C. § 7215(b)(5)(A) (2012).

[5] 15 U.S.C. § 7215(b)(5)(B) (2012).

[6] Id.

[7] See SEC v. Goldstone, 301 F.R.D. 593, 666–71 (D.N.M. 2014).

[8] S. Rep. No. 107-205, at 5 (2002).

[9] See Accounting Reform and Investor Protection: Hearings Before the S. Comm. on Banking, Hous., and Urban Affairs, 107th Cong. 987 (2002) [hereinafter Hearings] (prepared statement of the Public Oversight Board) (reproducing white paper by the predecessor to the PCAOB, entitled The Road to Reform: A White Paper from the Public Oversight Board on Legislation to Create a New Private Sector Regulatory Structure for the Accounting Profession). Witnesses testifying before Congress agreed that privilege would make the investigatory and disciplinary functions of the new audit regulator more effective. See, e.g., Hearings, supra note 9, at 579 (statement of Joel Seligman, Dean, Washington University School of Law in St. Louis) (recommending that Congress create a new auditing regulator whose activities are protected by a “privilege from discovery of investigative files to facilitate auditing discipline during the pendency of other Government or private litigation”); S. Rep. No. 107-205, at 10 (2002) (“Committee witnesses also emphasized that information gathered by Board investigators should be ‘privileged from outsiders’ during the investigative process.”).

[10] Framework for Enhancing the Quality of Financial Information Through Improvement of Oversight of the Auditing Process, 67 Fed. Reg. 44,964, 44,987 (July 5, 2002) [hereinafter Proposed SEC Framework].

[11] See id. at 44,987 n.122.

[12] PCAOB, Statement Concerning The Issuance Of Inspection Reports, PCAOB Release No. 104-2004-001, at 2 (2004).

[13] Steven B. Harris, Member, PCAOB, Background on the PCAOB, Address at Kennesaw State Meeting of Graduate Students of Accounting (2013) (transcript available at

[14] See generally PCAOB, Report on the PCAOB’s 2004, 2005, 2006, and 2007 Inspections of Domestic Annually Inspected Firms, PCAOB Release No. 2008-008 (2008).

[15] See id. at 7–8.

[16] Id.

[17] Id.

[18] Id.

[19] See id. at 9–10 (outlining the “regular and comprehensive review” process, which entails inspectors preparing and providing draft reports to audit firms for review and comment before the report is finalized, and gives each firm twelve months within which to remedy quality control defects before the PCAOB issues a public report on those defects).

[20] PCAOB, The Process for Board Determinations Regarding Firms’ Efforts to Address Quality Control Criticisms in Inspection Reports, PCAOB Release No. 104-2006-077, 2 (2006).

[21] Id. at 8; see also PCAOB, 2006 Annual Report 10 (2007) (stating that SOX “reflects a legislative policy choice encouraging self-correction and is a cornerstone of the PCAOB’s supervisory oversight model”).

[22] See, e.g., Hearings, supra note 9, at 22 (testimony of David S. Ruder, former chairman of the SEC) (referring to the need for a privilege), 371 (testimony of John Biggs, member of the Public Oversight Board and Chairman, President, and CEO of TIAA–CREF) (same).

[23] See infra text accompanying notes 28–40.

[24] See, e.g., PCAOB, Observations on the Initial Implementation of the Process for Addressing Quality Control Criticisms Within 12 Months After an Inspection Report, PCAOB Release No. 104-2006-078, 2 (2006) (“The Board’s initial experience with the 12-month remediation process generally validates the premise of the approach set out by Congress . . . that firms could be genuinely motivated by the prospect of keeping the Board’s quality control criticisms confidential. . . . [T]he firms were responsive to the Board’s supervisory model, taking the initiative to engage constructively with the staff in an ongoing dialogue toward a result satisfactory to the Board, rather than emphasizing points of disagreement and taking an adversarial approach.”).

[25] PCAOB, 2007 Annual Report 3 (2008).

[26] PCAOB, 2008 Annual Report 9 (2009); see also Sarbanes-Oxley at Four: Protecting Investors and Strengthening Markets: Hearing Before the H. Comm. on Fin. Serv., 109th Cong. 72 (2006) (statement of then-PCAOB Chairman Mark Olson) (“When firms approach inspections with a cooperative attitude, the PCAOB has been able to achieve significant real-time improvements, often even before an inspection is concluded.”).

[27] See PCAOB Release No. 104-2006-077, supra note 20, at 8.

[28] See 15 U.S.C. §7215(b)(5) (2012).

[29] 15 U.S.C. §7215(b)(5)(A) (2012).

[30] Id.

[31] See infra text accompanying notes 38–40.

[32] 15 U.S.C. § 7215(b)(5)(A) (2012).

[33] Id.

[34] Id.

[35] SOX prohibits the PCAOB from disclosing SOX-privileged information in inspection reports that it makes public. See Sarbanes-Oxley Act of 2002 § 104(g)(2), 15 U.S.C. § 7214(g)(2) (2012). The PCAOB typically acknowledges this limitation on the first page of the public version of inspection reports, which state that “[p]ortions of the complete report are omitted from this document in order to comply with Sections 104(g)(2) and 105(b)(5)(A) of” SOX. See, e.g., Inspection of Aaron Stein, PCAOB Release No. 104-2008-126A, at 1 (July 31, 2008).

[36] 15 U.S.C. § 7215(b)(5)(A) (2014) (emphasis added).

[37] See Sarbanes-Oxley Act of 2002 § 105(c), 15 U.S.C. § 7215(c) (2012) (“Disciplinary procedures”). This provision refers to PCAOB disciplinary proceedings, which are confidential unless and until there is a settled order or, after hearing and exhaustion of appeals to the Board and the full Commission, there is a final finding of unprofessional conduct against an auditor. See id.

[38] See 15 U.S.C. §§ 7215(b)(5)(B), (C) (2012).

[39] SOX provides that the PCAOB is permitted to make covered information available to regulators other than the SEC only when the Board determines that making the information available is “necessary to accomplish the purposes of this Act or to protect investors.” Sarbanes-Oxley Act of 2002 § 105(b)(5)(B), 15 U.S.C. § 7215(b)(5)(B) (2012).

[40] Id. (emphasis added). Subparagraph (C) imposes a similar duty on the PCAOB; it requires PCAOB to obtain sufficient “assurances of confidentiality” from foreign regulators before disclosing privileged information. See 15 U.S.C. § 7215(b)(5)(C).

[41] Sarbanes-Oxley Act of 2002 § 105(b)(5)(B), 15 U.S.C. § 7215(b)(5)(B).

[42] SEC v. Goldstone, 301 F.R.D. 593, 593 (D.N.M. 2014).

[43] Id. at 607.

[44] Id.

[45] Id. at 608.

[46] Id.

[47] Id. at 607–08, 612.

[48] Id. at 608.

[49] Id. at 607–­08, 612.

[50] Id. at 608.

[51] Id. at 672–73.

[52] Id. at 616, 670–71  The court acknowledged that the auditor was a holder of the privilege. Id. at 670–71. But the court went on to conclude—incorrectly—that the SEC also was a holder of the privilege and therefore had the power to waive it. See id. at 671–72.

[53] Id. at 616, 670-71.

[54] The SEC did not dispute that it had the authority to disclose privileged material. See id. at 608, 613–15, 638, 640, 671; see also Plaintiff SEC’s Opposition To Defendants’ Motion To Compel Production of PCAOB Deposition Transcripts & Plaintiff’s Notes & Memoranda Of Interviews With Non-Party Witnesses at 6–9, SEC v. Goldstone, 301 F.R.D. 593, 593 (D.N.M. 2014) (No. 12-257), 2012 WL 6709556 (arguing that the SEC had not presented the transcripts in a public proceeding).

[55] See Goldstone, 301 F.R.D. at 616, 670–72; see also United States v. Cuthbertson, 630 F.2d 139, 147 (3d Cir. 1980) (finding that, as a general matter, only the holder of a privilege can waive it).

[56] Goldstone, 301 F.R.D. at 671.

[57] Id. at 620. The firm also argued that the words “unless and until” limit the clause’s application to PCAOB proceedings. Id. The firm explained that this clause limits “public proceedings” to those covered by “subsection (c)” and that “subsection (c)” addresses only PCAOB disciplinary matters. Id. at 616.

[58] Id. at 672.

[59] Id. at 673–74.

[60] Id. at 672.

[61] Id. at 671–72 (quoting 15 U.S.C. § 7215(b)(5)(A)).

[62] Goldstone, 301 F.R.D. at 672.

[63] See 15 U.S.C. § 7215(b)(5)(A).

[64] Goldstone, 301 F.R.D. at 672.

[65] Id.

[66] Id.

[67] Id.

[68] Id.

[69] Even if Subparagraph (A) did not contain the carve-out for documents shared under Subparagraph (B), the “unless and until presented” clause still would not apply to SEC proceedings. The clause limits its application to matters brought under SOX Section 105(c), which addresses PCAOB disciplinary procedures. See Sarbanes-Oxley Act of 2002 § 105(c), 15 U.S.C. § 7215(c).

[70] See Goldstone, 301 F.R.D. at 672.

[71] See 15 U.S.C. § 7217 (“The Commission shall have oversight and enforcement authority over the Board”).

[72] SOX acknowledges that PCAOB inspections may include the “subject of ongoing litigation or other controversy between the firm and 1 or more third parties.” 15 U.S.C. § 7214(d)(1).

[73] See 2-V Moore’s Federal Rules Pamphlet § 500.1 (2014) (“A privilege works to keep relevant and otherwise admissible evidence from the trier of facts.”). Congress is presumed to know common law. See Lorillard v. Pons, 434 U.S. 575, 583 (1978) (“[W]here words are employed in a statute which had at the time a well-known meaning at common law or in the law of this country they are presumed to have been used in that sense unless the context compels to the contrary.”) (citation and internal quotation marks omitted).

[74] See supra text accompanying notes 6–24.

[75] See 15 U.S.C. § 7215(b)(5)(C) (requiring the PCAOB to provide a supporting statement for each determination to impose a sanction). The PCAOB also can disclose privileged information in a disciplinary hearing, but only if the respondent so consents. See 15 U.S.C. § 7215(b)(5)(A) (permitting disclosure in a “public proceeding”); 15 U.S.C. § 7215(c)(2) (permitting a public hearing only “with the consent of the parties to such hearing”).

[76] 15 U.S.C. §§ 7215(c)(3), 7215(b)(5); see also Enforcement, Public Company Accounting Oversight Board, (last visited May 25, 2015).

[77] Enforcement, Public Company Accounting Oversight Board, (last visited May 25, 2015).

[78] The PCAOB can disclose SOX-privileged information without the auditing firm’s consent only after the completion of a disciplinary proceeding in which it imposes sanctions on an auditor. See 15 U.S.C. § 7215(b)(5)(A)  (authorizing disclosure in accordance with 15 U.S.C. § 7215(c)); 15 U.S.C. § 7215(c)(3) (requiring the PCAOB to provide a supporting statement when it imposes a sanction).

[79] On interpreting statues to effect statutory purpose as evidenced by the text, see W. Va. Univ. Hosps., Inc. v. Casey, 499 U.S. 83, 98–99 (1991).

[80] See 15 U.S.C. §§ 7215(b)(5)(A), (c)(2); see also PCAOB Release No. 104-2004-001, supra note 12, at 9 (acknowledging that SOX requires the PCAOB to keep information covered by SOX Section 105 and other information about investigations and disciplinary proceedings confidential unless and until the Board finds a violation and the respondent has had the opportunity to seek SEC review of that finding). According to a 2003 PCAOB Release adopting initial rules on investigations and disciplinary proceedings, Subparagraph (B) “forbids [agencies] to disclose” privileged material they have received from the PCAOB. PCAOB, Rules On Investigations And Adjudications, PCAOB Release No. 2003-015, at A2-42 (2003).

[81] See PCAOB Release No. 2003-015, supra note 80, at A2-42.

[82] See supra notes 51 and 54.

[83] See Goldstone, 301 F.R.D 593 at 613, 619, 637–38, 641; see also Objections of Plaintiff SEC to Special Master Order Granting Defendant Tekulve’s Motion to Compel Responses to Second Set of Interrogatories, SEC v. Jensen, No. CV 11–5316–R, 2013 WL 6499699 (C.D. Cal. Dec. 10, 2013) (No. 11-5316). Because the Staff did not assert the privilege before it produced this material, that case did not generate an analysis of the relevant SOX provisions. See Jensen, No. CV 11–5316–R, 2013 WL 6499699 (C.D. Cal. Dec. 10, 2013).

[84] Plaintiff’s Memorandum of Law in Support of Its Motion for a Protective Order at 11, SEC v. Aragon Capital Mgmt., LLC, No. 07 Civ. 919(FM), 2011 WL 3278642 (S.D.N.Y. July 26, 2011), (No. 114), 2008 WL 2779505. That case did not lead to a relevant opinion, however, because the court granted the SEC’s motion for a protective order without reaching the privilege issue. See Discovery Order, SEC v. Aragon Capital Mgmt., LLC, No. 07 Civ. 919(FM), 2011 WL 3278642 (S.D.N.Y. July 26, 2011), (No. 123).

[85] See 5 U.S.C. § 706 (2012) (identifying as “unlawful” any “agency action . . . found to be . . . arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law”).

[86] Sarbanes-Oxley Act of 2002 § 105(b)(5)(B), 15 U.S.C. § 7215(b)(5)(B) (2012).

[87] As a general matter, only the holder of a privilege can waive it. See Moore’s, supra note 73.

[88] See PCAOB Release No. 104-2004-001, supra note 12, at 8–9.

[89] See id.

[90] The SEC pointed this out more than ten years ago, in its 2002 discussion of audit regulation. See Proposed SEC Framework, supra note 10, at 44,987.

[91] See 15 U.S.C. § 7215(b)(5)(A) (stating that covered material “shall be confidential and privileged as an evidentiary matter”).

[92] See 15 U.S.C. § 7215(b)(5)(B).

[93] Id.

[94] See S. Rep. No. 107-205, supra note 8, at 58.