D. Scott Huggins, CIA, CFSA, CFE
Senior Vice President & Chief Auditor
One Penn Square
Lancaster, Pennsylvania 17602
March 14, 2003
Jonathan G. Katz
U.S. Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549
Re: File No. S7-40-02, Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002
Dear Mr. Katz:
I realize the comment period for these sections has lapsed; however, I recently became aware of an extremely burdensome aspect of §404, having spent much of my time working through the "financial expert" rules. I appreciate the opportunity to comment on the proposed rule, "Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002." As a chief audit executive having responsibility for evaluating the effectiveness of the internal control structure, I can certainly appreciate the requirement for CEO and CFO annual assertions regarding such effectiveness. During my career I have been integrally involved in setting standards for the internal auditing profession through my membership on The Institute of Internal Auditors' Internal Auditing Standards Board. As part of my role as a past President of the National Association of Financial Services Auditors (NAFSA), I have also been a strong advocate of meaningful disclosure with regard to internal controls. It is in the capacity of Chief Audit Executive and management team member that I am concerned with the proposed quarterly certifications on internal control effectiveness. The comments expressed are mine and mine alone and do not necessarily represent the views of the senior management of Fulton Financial Corporation.
Having been involved with the FDIC Improvement Act (FDICIA) of 1991 since 1991, I am integrally familiar with the work effort required to opine on the effectiveness of the internal control structure on an annual basis. While FDICIA was initially promulgated as having minimal burden on reporting, it has been shown to be quite the opposite. With regard to §404, the work effort to identify, evaluate through testing and report on the effectiveness of internal controls on an annual basis is expected to be extremely time-consuming. Increasing the frequency of such efforts to a quarterly cycle would and should be unconscionable. Estimates of increased man-hours required fall between 8,000 and 10,000 annually. That's for a conservative financial institution of less than $9 billion in assets. The corresponding increase in external auditor fees could be enormous.
In my opinion, it is incumbent upon the SEC to strictly interpret the requirements of Sarbanes-Oxley, i.e., an annual certification on the effectiveness of internal controls. For the SEC to loosely interpret the meaning and arrive at a quarterly certification is a leap I believe totally unintended by Sarbanes-Oxley. In order to accommodate a quarterly certification, evaluated as of a date within 90 days prior to the date of certification, a continuous audit process would have to be implemented. In other words, as soon as one quarter is completed, the entire process must being again for the next quarter. The cost of quarterly certifications far outweighs any value derived. With quarterly disclosure control certifications, increased audit committee involvement, criminal sanctions contained in §906, and all the other requirements of Sarbanes-Oxley, I implore the SEC to reconsider its position with regard to quarterly certifications under §404. Annual certifications are sufficient, relevant and timely.
Thank you for your consideration of my comments on this important matter.