Foreign Public Accounting Firms

SOX Section 106 makes any foreign public accounting firm that prepares an audit report for an issuer subject to the Sarbanes-Oxley Act and PCAOB rules. To operationalize it, you must treat cross-border audit providers as in-scope, contract and onboard them to support PCAOB oversight, and retain evidence that the firm can meet SOX/PCAOB expectations. (Public Law 107-204)

Key takeaways:

• If a foreign firm prepares your issuer audit report, you must manage it like any PCAOB-regulated audit firm under SOX. (Public Law 107-204)
• Your job is operational: scope the firm correctly, bake compliance obligations into engagement terms, and keep audit-ready evidence.
• The highest-risk failure is treating the foreign firm as “out of scope” because it is outside the U.S.; SOX Section 106 removes that assumption. (Public Law 107-204)

“Foreign public accounting firms requirement” usually becomes urgent when your issuer has overseas operations, a cross-border group audit, or a non-U.S. affiliate firm participating in the audit. SOX Section 106 is short, but it drives real execution work for compliance, finance, and procurement: you must identify when a foreign public accounting firm is preparing the audit report for the issuer, and then ensure your governance, contracting, and oversight align with SOX and PCAOB rules. (Public Law 107-204)

For a CCO or GRC lead, the practical goal is straightforward: prevent a structural compliance gap where a non-U.S. audit firm is treated like a normal third party rather than an entity subject to SOX/PCAOB expectations. That gap shows up later as an auditor independence problem, an access-to-workpapers dispute, an incomplete audit trail for oversight, or friction during external audit coordination.

This page gives requirement-level guidance you can implement quickly: plain-English interpretation, who it applies to, step-by-step controls, evidence to retain, exam/audit questions, frequent mistakes, and a phased execution plan you can hand to Finance and Procurement.

Regulatory text

SOX Section 106 (excerpt): “Any foreign public accounting firm that prepares an audit report for any issuer shall be subject to this Act and PCAOB rules.” (Public Law 107-204)

What the operator must do

Operationally, treat any foreign public accounting firm that prepares your issuer audit report as fully in-scope for SOX and PCAOB oversight. That means:

• Scope and classify the firm correctly in your third-party inventory (not “non-regulated” or “local-only”).
• Put the right contractual hooks in place so your company and the group auditor can obtain cooperation, documentation, and access needed for SOX/PCAOB-aligned work.
• Maintain audit-ready evidence that the foreign audit firm’s role, responsibilities, and deliverables are governed and traceable.

Plain-English interpretation of the requirement

If a non-U.S. accounting firm prepares the audit report for an issuer, SOX treats it like any other firm under the Act and PCAOB rules. Country borders do not remove SOX obligations for that engagement. (Public Law 107-204)

A practical way to read this as a control owner:

• You cannot assume “they’re outside the U.S., so SOX/PCAOB doesn’t apply.”
• You must manage the engagement so oversight is possible and documentation is accessible.

Who it applies to (entity and operational context)

Entities in scope

• Foreign public accounting firms preparing an audit report for an issuer. (Public Law 107-204)
• Issuer organizations that retain, direct, or rely on those firms for the audit report or material audit workstreams.
• Internal stakeholders who create the risk: Finance/Controller, External Reporting, Internal Audit (SOX PMO), Procurement, Legal, and the audit committee liaison.

Operational contexts where this comes up

• Group audits with component auditors in other jurisdictions.
• Multinational issuers where a foreign firm signs or substantially prepares the audit report.
• Shared service centers or overseas subsidiaries where local auditors produce workpapers relied on for issuer reporting.

What you actually need to do (step-by-step)

Step 1: Identify and classify foreign audit firms in your third-party inventory

1. Map your audit delivery model: which firm signs the issuer audit report, which firms perform component work, and which entities provide audit support.
2. Classify each firm’s role:
   • Prepares the issuer audit report (highest criticality). (Public Law 107-204)
   • Supports the issuer audit (component work, shared workpapers).
3. Tag the relationship as “SOX/PCAOB-relevant” in your third-party system so it triggers the right reviews, approvals, and evidence retention.

Operator tip: Most failures happen because the foreign firm is tracked as a generic “professional services” supplier with no SOX flags. Fix the taxonomy first, then build controls.

Step 2: Set minimum engagement terms (contractual and governance)

Work with Legal and Finance to ensure the engagement letter / MSA supports SOX/PCAOB-aligned oversight expectations for a foreign firm preparing an issuer audit report. (Public Law 107-204)

Minimum terms to require (write these as checkable clauses in a template addendum):

• Cooperation and information-sharing obligations with your issuer, group auditor, and relevant oversight expectations.
• Workpaper/document retention and production commitments aligned to audit needs.
• Subcontracting restrictions (no further delegation without approval).
• Confidentiality and data handling terms compatible with cross-border transfer realities, with a clear escalation path if local law limits sharing.
• Service description and deliverables: exactly what the foreign firm will produce, when, and in what format.

Step 3: Establish an oversight workflow (before fieldwork starts)

Build a lightweight, repeatable workflow that triggers when a foreign audit firm is in scope:

1. Pre-engagement review (Finance + SOX PMO + Legal):
   • Confirm the firm’s role and whether it prepares the issuer audit report. (Public Law 107-204)
   • Confirm engagement terms include your minimum clauses.
2. Kickoff controls:
   • Identify the engagement owner internally.
   • Document reporting lines between group auditor and foreign firm.
3. Fieldwork governance:
   • Define how issues are raised, tracked, and resolved (audit adjustments, control deficiencies, late deliverables).

Step 4: Build evidence collection into the process (don’t chase it later)

Create an “audit-ready packet” and require it as a condition of engagement closeout:

• Signed engagement letter and addenda.
• Role map showing where the foreign firm’s work flows into the issuer audit report.
• Deliverables index (what was produced, by whom, and where stored).
• Meeting minutes / status reporting artifacts showing active oversight.

Step 5: Integrate into SOX and third-party risk management (TPRM)

SOX Section 106 is not a generic vendor risk requirement; it is a scoping and oversight requirement tied to issuer audits. Still, you should integrate it into your TPRM program so it does not rely on tribal knowledge:

• Add a third-party intake question: “Will this firm prepare or contribute to the audit report for the issuer?”
• Require CCO/GRC visibility on any cross-border audit relationships.
• Ensure issue management routes audit-delivery risks to the SOX PMO and audit committee liaison quickly.

Where Daydream fits: Daydream can track audit-related third parties, attach the required evidence packet to the relationship record, and run a workflow that blocks renewal until the engagement terms and artifacts are complete.

Required evidence and artifacts to retain

Keep artifacts in a location accessible to Finance, SOX PMO, and Internal Audit, with a clear record owner.

Minimum evidence set (practical):

• Third-party record showing the firm is foreign and is tied to issuer audit activities.
• Engagement letter / contract, including any SOX/PCAOB-related addendum expectations. (Public Law 107-204)
• RACI or responsibility map for group audit vs component work.
• Deliverables list and storage references (workpaper indices, reports, memos).
• Oversight records: kickoff notes, status reports, issue logs, escalation emails.
• Management sign-off that the relationship met required onboarding and governance steps.

Common exam/audit questions and hangups

Expect Internal Audit, external auditors, or regulators to ask questions like:

• Which foreign firms are involved in the issuer audit, and what do they do? Show your role map and third-party inventory tags.
• How do you know they are subject to SOX/PCAOB expectations for this work? Point to SOX Section 106 and your engagement governance controls. (Public Law 107-204)
• Can you produce engagement terms and evidence of oversight? Produce the audit-ready packet.
• What happens if the foreign firm cannot provide documents due to local law? Show your escalation process, documented decisions, and alternative procedures.

Hangup to plan for: cross-border data transfer and local secrecy rules can create friction. Your control is not “guarantee no restrictions exist”; your control is “identify constraints early, document them, and ensure the audit approach addresses them.”

Frequent implementation mistakes and how to avoid them

Mistake 1: Treating foreign audit firms as normal professional-services suppliers

Avoidance: Add SOX/PCAOB relevance flags in intake and inventory, and require SOX PMO sign-off before engagement execution.

Mistake 2: Discovering the foreign firm’s role after audit fieldwork begins

Avoidance: Require a pre-engagement role map for any audit-related third party.

Mistake 3: No contractual pathway to obtain cooperation or documentation

Avoidance: Use a standard engagement addendum for audit-related third parties and require Legal review for deviations.

Mistake 4: Evidence scattered across inboxes and audit portals

Avoidance: Define a single system of record (for example, Daydream + your document repository) and require closeout packaging.

Enforcement context and risk implications

The core risk is governance failure: if a foreign public accounting firm prepares the audit report for an issuer and you treat it as outside SOX/PCAOB scope, you create exposure in audit quality, oversight access, and audit committee confidence. SOX Section 106 is explicit about applicability to foreign firms for issuer audit reports. (Public Law 107-204)

This requirement also interacts with vendor due diligence in practice: you are not assessing a commodity supplier. You are managing a high-impact third party tied to financial reporting integrity.

Practical 30/60/90-day execution plan

First 30 days: Scope and stop the bleeding

• Identify all audit-related third parties, including foreign public accounting firms.
• Build and approve a role classification model (prepares issuer audit report vs supports).
• Create an engagement addendum/checklist for foreign audit firms tied to issuer audits. (Public Law 107-204)

Next 60 days: Operationalize workflow and evidence

• Implement intake gating: any audit-related third party triggers SOX PMO + Legal review.
• Stand up the audit-ready packet structure and assign owners.
• Pilot the workflow on the next active audit engagement or renewal.

Next 90 days: Embed and test

• Integrate the requirement into TPRM procedures and SOX PMO operating cadence.
• Run a tabletop test: “Can we produce complete artifacts for every foreign audit firm in scope?”
• Remediate gaps, then lock the process into procurement onboarding and renewal steps.

Frequently Asked Questions

Does SOX Section 106 apply if the firm is outside the U.S. but audits a foreign subsidiary?

It applies to a foreign public accounting firm that prepares an audit report for an issuer. (Public Law 107-204) If the foreign firm only performs component work, treat it as audit-relevant and govern it accordingly, since its work can still be relied on in the issuer audit.

What if our group auditor hires the foreign firm, not us?

You still need visibility and governance because the relationship affects your issuer audit outcome. Require the group auditor to provide the role map and ensure your oversight artifacts cover who did what and how issues are escalated.

What’s the minimum we should retain as evidence?

Keep the signed engagement terms, role/responsibility mapping, deliverables index, and documented oversight (kickoff notes, status reporting, issue log). Tie these to the third-party record so you can produce them fast during an audit.

How do we handle situations where local law limits workpaper sharing?

Identify the constraint before fieldwork, document it, and escalate to Legal, the SOX PMO, and the group auditor for an agreed approach. Your exam defense is documented decisioning and a clear alternative plan, not informal assurances.

Is this a procurement problem or a SOX problem?

It’s both. Procurement owns intake and contracting mechanics; the SOX PMO/Finance owns audit governance and evidence. Put one workflow in place so neither team can complete the engagement alone.

How should we track this in our third-party risk tool?

Create an “issuer audit relevance” attribute, attach the audit-ready packet to the relationship record, and require approvals before renewal. Daydream is a practical fit if you want a single workflow tying intake, contracting checkpoints, and evidence retention to the same record.