Public companies should prepare for a more strenuous auditing process, and the increased likelihood that the information that they share with their auditors could be compelled by the Securities and Exchange Commission (SEC) during an investigation. This new dynamic has resulted from two recent developments: (1) the SEC’s decision to revamp their Public Company Accounting Oversight Board (PCAOB), which will likely increase the board’s enforcement of audits of public companies, and (2) a recent decision of the U.S. District Court for the District of Columbia in SEC v. RPM International, Inc., (SEC v. RPM) in which the court held that RPM had waived its attorney-client privilege by sharing certain information about an internal investigation with its auditors.
We expect that the enhanced enforcement of public company audits from the more active PCAOB will cause auditors to more aggressively seek and review information from their clients. At the same time, companies may be loath to share more information with their auditors under the threat of potential disclosure to the SEC.
I. A New PCAOB Will Likely Result in Enhanced Enforcement and Scrutiny of Audits
The PCAOB was established under the Sarbanes-Oxley Act of 2002 to “oversee the audits of public companies in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.”  The PCAOB has four primary duties:
- Register public accounting firms that prepare audit reports for issuers, brokers, and dealers;
- Establish or adopt auditing and related attestation, quality control, ethics, and independence standards;
- Inspect registered firms’ audits and quality control systems; and
- Investigate and discipline registered public accounting firms and their associated persons for violations of specified laws, rules, or professional standards.
More than 1,700 auditing firms are registered with the PCAOB, including 560 firms that “audit more than 12,000 issuers that file financial statements with the SEC or otherwise play a substantial role in those audits.” 
On May 25, Senators Elizabeth Warren (D-MA) and Bernie Sanders (I-VT) called on the SEC to replace the five sitting members of the PCAOB. Warren and Sanders wrote a letter to SEC Chair Gary Gensler, claiming that the PCAOB “has long been a troubled agency,” which has been weakened by the Trump administration.  Warren and Sanders cited a Wall Street Journal article, which reported that the recent trouble with the PCAOB began in 2017 when former SEC Chair Jay Clayton fired the entire PCAOB board for leaking confidential inspection plans to KPMG.  According to Warren and Sanders, Clayton then appointed replacement board members comprised of “partisan cronies with a deregulatory agenda and little relevant experience.”  Warren and Sanders took aim specifically at PCAOB Chairman William Duhnke’s leadership due to (1) the PCAOB’s enforcement actions plummeting by 63%, (2) Duhnke’s move to reduce PCAOB’s budget, and (3) Duhnke’s failure to hold a single advisory meeting in 2019.
On June 4, under pressure from the Warren-Sanders letter, the SEC announced that it removed Duhnke from his role as PCAOB chair, and intends to seek candidates to fill all five board positions on the PCAOB. Included in the SEC’s announcement of Duhnke’s removal, SEC Chair Genslar’s stated that the “PCAOB has an opportunity to live up to Congress’s vision in the Sarbanes-Oxley Act.”
It is unclear if there will be any policy shifts due to the recent changes, but given the PCAOB overhaul in response to the Warren-Sanders letter that characterized the PCAOB as ineffective, it is likely the PCAOB will become more robust and enforcement focused. The changes are likely to put pressure on auditors and companies to engage in more intense audits.
II. The SEC v. RPM Decision Provides the SEC Support to Compel Information Companies Share with Auditors
In a similar vein, the decision of the D.C. Circuit in SEC v. RPM also may lead to tension between auditors and companies. The District Court compelled RPM International (RPM) to produce information to the SEC about an internal investigation that RPM considered to be privileged, including interview memoranda, because the information had been shared by RPM’s outside counsel with RPM’s outside auditors. This decision may cause companies to be more discerning with the nature and type of investigation-related information they share with their auditors out of concern that the SEC could seek to compel such information down the road. At issue in SEC v. RPM was whether RPM could claim work product or attorney-client privilege over interview memoranda prepared during an internal investigation, when RPM’s outside counsel shared with RPM’s outside auditor quotes from the investigative interviews. 
On August 28, 2013, RPM announced a False Claims Act settlement with the Department of Justice (DOJ) in the amount of $60 million to resolve allegations that RPM violated 31 U.S.C. §§ 3729 et seq. relating to when RPM overcharged the government in certain contracts. Shortly after this announcement, the SEC initiated a formal investigation into RPM’s public disclosures. Due to the SEC’s investigation, RPM’s outside auditor, Ernst & Young (E&Y), informed RPM that they could not sign off on RPM’s 10-K without RPM conducting an internal investigation. RPM hired outside counsel to conduct an internal investigation, who interviewed 19 current and former RPM employees.
To give E&Y comfort, RPM’s outside counsel made an oral presentation to E&Y, which included specific quotes from their interviews. RPM’s outside counsel then drafted 19 interview memoranda based on their interviews.
Years later, the SEC sued RPM in the U.S. District Court for the District of Columbia, alleging that RPM failed to timely record its accruals relating to the DOJ settlement agreement. During discovery, the SEC sought documents, including the interview memoranda from E&Y related to the internal investigation.
RPM sought to assert privilege over the interview memoranda, but the District Court ordered RPM to produce all 19 interview memoranda to the SEC, holding that (1) the interview memoranda was not work product because the interview memoranda were not prepared in anticipation of litigation, (2) even if the interview memoranda constituted work product, RPM waived its work product protection by sharing the substance with E&Y (and subsequently allowing E&Y to share information with the SEC), and (3) while 16 of the 19 interview memoranda reflected privileged communications between Jones Day and RPM employees or counsel, RPM waived its attorney-client privilege when it disclosed the facts from the investigation to E&Y.
This decision may have a chilling effect on the type of investigation-related information a company decides to share with an auditor for fear that it could lead to the waiver of privilege and allow the SEC to compel the production of documents related to an internal investigation.
III. Moving Forward
Companies should expect more rigorous audits if the newly revamped PCAOB is more aggressive and puts pressure on auditors and companies. It is important that companies engage outside counsel that appreciates the complex relationship between companies and auditors as it tries to navigate a potentially hostile environment in this changing landscape.
 Letter from Sens. Warren and Sanders to Gary Gensler (May 25, 2021), https://business.cch.com/srd/LettertoGensleronPCAOB.pdf.
 SEC v. RPM International, Inc., No. 1:16-cv-01803-ABJ, Minute Order (D.D.C. Feb. 12, 2020).