America's Community Bankers
January 13, 2003
Jonathan G. Katz
Re: Strengthening the Commission's Requirements Regarding Auditor Independence
Dear Mr. Katz:
America's Community Bankers (ACB)1 is pleased to comment on the proposed rule issued by the Securities and Exchange Commission (SEC) to strengthen requirements for auditor independence,2 as required by Article II of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley).3
As required by Sarbanes-Oxley, the rules would (i) provide a "cooling-off" period before a public company could hire a former auditor to fill certain positions; (ii) prohibit an auditor from performing certain non-audit services; (iii) require that audit partners be rotated off the audit team every five years; (iv) require the audit committee to pre-approve audit and permissible non-audit services; (v) require that the auditor discuss certain matters with the audit committee; and (vi) require public companies to disclose to investors fees paid to auditors and policies and procedures for approving audit and non-audit services.
We support the SEC's efforts in drafting rules that will help to ensure that the auditors of public companies are providing a truly independent review of the financial statements of public companies. We believe that this rule is among the most important under Sarbanes-Oxley in trying to restore investor confidence in the public markets. As stated in a previous SEC rulemaking on auditor independence,
This rule, together with the formation of the Public Company Accounting Oversight Board, will help ensure the public that financial statements are complete, accurate and reliable. We do have some suggestions that we believe will help make the rule more effective. Also, we are asking for clarification or additional guidance on several aspects of the rule.
As to the cooling-off period, we think it would be helpful for further guidance on who in a company would be performing a "financial reporting oversight role." We suggest that the definition be limited to the specific positions identified in the statute or, as an alternative, the specific positions identified in the rule.
In the description of prohibited non-audit services, we request clarification that the auditor will continue to be able to perform certain bank regulatory-related work required by the Federal Deposit Insurance Act (FDIA) and the rules of the Federal Deposit Insurance Corporation (FDIC). Clarification of prohibited services in the areas of tax, expert and human resource matters also would be helpful.
We believe that the audit partner rotation requirement will be disruptive and will increase auditing costs, but understand that this is a requirement under Sarbanes-Oxley. We suggest that the requirement apply only to the lead and reviewing partners. As an alternative, the SEC could allow partners, other than the lead and reviewing partners, to serve on the engagement team for up to seven continuous years. We also suggest that the "time-out" period be reduced from five years to two years to lessen the burden of the rotation requirement while still achieving its goals. Although we support the ability of using a forensic audit as an alternative to the rotation requirement, this should not be a requirement because of the substantial costs that would be incurred.
Additional guidance and clarification is needed with respect to the required pre-approval of both audit and non-audit services. We support the expanded disclosures about audit and non-audit fees and the pre-approval process, as long as additional guidance is provided. Finally, we support a requirement that the chief executive officer and chief financial officer get the same information that the auditor gives to the audit committee.
A public company will not be permitted to use an auditing firm if it employs in a "financial reporting oversight role" an individual who was employed by the auditing firm and was a member of the company's audit engagement team within the one-year period preceding the date of the initiation of the current audit. A "financial reporting oversight role" is defined to mean a role in which the individual is in a position to, or does, exercise influence over the contents of the financial statements or anyone who prepares them, and includes the position of director, chief executive officer, president, chief financial officer, chief operating officer, general counsel, chief accounting officer, controller, director of internal audit, director of financial reporting, treasurer, or any equivalent position.
A member of the audit engagement team is defined under current rules as all partners, principals, shareholders, and professional employees participating in an audit, review, or attestation engagement of an audit client, including those conducting concurring or second partner reviews and all persons who consult with others on the audit engagement team during the audit, review, or attestation engagement regarding technical or industry-specific issues, transactions, or events.5
The SEC has asked whether the cooling-off period should apply equally to large and small companies and whether the rules would impose a cost on smaller issuers that is disproportionate to the benefits that would be achieved. It is the case that community banks, particularly those in smaller communities, will often look to the auditing firm for qualified individuals to fill certain positions. We agree that when the role to be filled is one that has significant responsibility for preparation of the financial statements, hiring a partner or employee of a former auditor can raise questions of whether the auditor can perform his or her duties without undue influence from company officials.
The definition of "financial reporting oversight role," however, would cover not only those individuals with direct responsibility or oversight of those who prepare the registrant's financial statements, but also others with responsibility for related information including management's discussion and analysis. This could include a large number of people who would not have much contact with or influence over the external auditor to raise a question of independence. We believe that with the other protections put in place by Sarbanes-Oxley, including the requirement that the audit committee oversee the work of the auditor, the list of positions in a company affected by the rule should be those specifically identified in section 206 of Sarbanes-Oxley. In the alternative, the definition should be limited to the specific positions mentioned in the rule without reference to individuals who are in a position to exercise or who do exercise influence over the financial statements or anyone who prepares them. The specific positions mentioned in the statute and rule are those with the most influence over the preparation of financial statements and where employment of a former partner or employee of the auditor within one year of the individual participating on the audit engagement team would be most problematic.
We also suggest that the SEC consider amending the definition of "audit engagement team" for purposes of this rule to exclude audit partners and employees who provide only a minimal number of hours of work on the audit of the company. We recognize that section 206 of Sarbanes-Oxley applies the cooling-off period to individuals who participate "in any capacity" in the audit of the company. We believe, however, that the SEC has the authority to exclude certain partners or employees that play a small or insignificant role in the audit.
Prohibited Non-Audit Services
We agree with the broad principles outlined by the SEC in determining the scope of prohibited non-audit services: an auditor cannot audit his or her own work, perform management functions, or act as an advocate for the client. We also agree that the description of prohibited services, for the most part, builds on SEC rules issued in November of 2000, but the proposal would delete certain exemptions, exceptions and qualifications that were deemed appropriate at that time. We are requesting further guidance on the scope of some of the prohibited services.
We would like clarification that the scope of prohibited services does not encompass services that auditors are required to perform under section 36 of the FDIA6 and the rules of the FDIC.7 Under those banking laws and regulations, external auditors perform a "FDICIA" audit for banking clients, which entails attesting to and reporting separately on assertions made by management about internal controls.
We do not believe it is the SEC's intention to prohibit the auditor from providing these services. The preamble specifically states that during the audit, accountants must gain an understanding of their clients' systems of internal accounting controls and oftentimes become involved in diagnosing, assessing, and recommending to audit committees and management ways in which the internal controls can be improved or strengthened.8 The SEC notes that this service can be valuable to companies and may facilitate the performance of a high quality audit. For these reasons, the SEC states that auditors may continue to assess the effectiveness of internal controls and to recommend improvements in the design and implementation of internal controls and risk management controls.
This position is consistent with the SEC's proposed rules under section 404 of Sarbanes-Oxley that will require a company's auditor to attest to and report on the assessment of internal controls made by the company's management. However, it is not clear whether the "FDICIA" audit and the section 404 internal control report are audit services or permissible non-audit services. In the discussion of audit committee administration of the engagement, the preamble discusses statutory audits and explains that these engagements are viewed as audit services, in contrast to non-audit services.9 For clarification purposes, we believe that the preamble or the rule should explicitly state that the auditor is not prohibited from performing the services required by section 36 of the FDIA or the rules of the FDIC implementing those legal requirements and clarify that these services, as well as services performed under section 404 of Sarbanes-Oxley, are considered part of the audit.
On a related matter, there are problems with trying to draw a distinction between designing internal controls and recommending improvements. For example, if a company lacks a reconciliation control between the cash and general ledger, it would seem appropriate that the auditor suggest that reconciliation be done and help with the design of the procedure. Otherwise, the company would gain no real value from the auditor's recommendations because the auditor has not helped solve the problem and the company would have a difficult time engaging another firm to assist on an isolated matter. If the company designs a procedure to address the recommendation and the auditor concludes that the designed control is not adequate, the auditor might justifiably suggest how to improve the control. The only thing that is accomplished by prohibiting the auditor from assisting the company in designing the procedure in the first place is an inefficient method for improving a control problem, which is something the SEC should seek to avoid.
Unless a company employs a qualified internal audit group or engages another qualified independent firm to conduct its internal audit function, the best source of control design information is going to come from the external auditors. To limit their ability to provide meaningful support in the design of internal controls will only serve to weaken internal controls in general and create inefficiencies in the controls design process.
Internal Audit Outsourcing.
The proposed rule would prohibit the auditor from performing any internal audit services related to the internal accounting controls, financial systems or financial statement, for an audit client. Under current rules, a company can outsource up to 40 percent of its internal audit function to its auditor. In addition, businesses with less than $200 million in total assets are not restricted by the 40 percent limit when using their auditor to provide internal audit services. We understand and support the principle of separating the internal and external auditing functions.
The SEC has expressed concern about the impact that this restriction may have on smaller companies that do not have internal audit departments or staff. Smaller banks, like all banks, are required by banking regulations to perform internal audit functions.10 As John Hawke, Jr., Comptroller of the Currency, testified during the SEC hearings on auditor independence held in July of 2000, bank regulators discourage, but do not prohibit, a bank from outsourcing internal audit work to the external auditor.11 Comptroller Hawke alluded to an Interagency Policy Statement that imposes a number of safeguards and quality controls to address supervisory concerns.12 If a smaller bank does not have the internal resources to perform the internal audit work, the bank may have difficulty finding a qualified firm willing to do the work at all or at a cost that is not prohibitive. It may be appropriate to provide some relief for smaller companies and include standards similar to what currently applies to banking institutions, or what currently applies under SEC rules to public companies, so that auditor independence can be maintained.
The preamble states that under the proposed rule, an auditor's independence also is impaired when the auditor advises an audit client about the design of its management or organizational structure.13 We have been unable to find this language in the rule and do not believe it is appropriate. Providing this service does not put the auditor in the position of having an interest in the success of the employees that the auditor has selected, tested or evaluated. It does not involve excessive involvement by the auditor in human resource selection or development, but such advice can help smaller institutions better organize personnel. The company, not the auditor, would make final decisions on management structure.
We also would like clarification that the auditor can continue to consult on compensation matters, including incentive compensation, provided that the company makes all final decisions and the auditor does not negotiate compensation matters with potential employees.
The proposal would prohibit an auditor from providing expert opinions for an audit client in connection with legal, administrative, or regulatory proceedings or acting as an advocate for an audit client in such proceedings. The description of prohibited services in the preamble raises some issues. It is difficult to distinguish what the SEC describes as prohibited advocacy-type assistance from permissible assistance from the auditor as a fact witness to audit work. When and how, for example, does testimony that provides a factual account of what an auditor observed and the judgments he or she made, which is permissible, become distinguished from providing expert opinions for an audit client in connection with legal, administrative or regulatory proceedings. We do not believe that the distinctions will be clear in many cases. Furthermore, we are unclear as to why the auditor would be permitted to provide advice or forensic accounting services to assist an audit committee in fulfilling its responsibility to conduct an investigation of a potential accounting impropriety, but it would be impermissible to provide these services for the company in a legal, administrative or regulatory proceeding. Companies should not be deprived of utilizing the testimony and opinions of those individuals most knowledgeable about a company's accounting from assisting the company, should questions arise in any type of proceeding. The prohibition on providing consultation to an audit client's legal counsel is particularly inappropriate. While legal counsel may serve in an advocacy role and be authorized to zealously protect the company's interests, there is no reason that counsel should not be able to get input and expertise from the company's auditor.
The SEC indicates that nothing in the proposed rules is intended to prohibit an accounting firm from providing tax services to its audit clients.14 The proposed limitations will, in effect, prevent most public companies from engaging the tax divisions of their audit firms for all but the most routine tax preparation services, and may even serve to restrict those as well. Many public companies deal with complex federal, state and local tax issues that require unique skills few companies can afford to build or acquire on their own. The auditing firm can provide that expertise at reasonable cost. The rule will result in higher fees and inefficiencies as companies engage separate firms to prepare their tax returns. Much efficiency is gained in the tax return preparation process through review by the tax engagement team of audit workpapers; efficiencies that will be curtailed or eliminated by the introduction of separate firms.
Similar to our comments on expert services, we do not think that the lines being drawn between being an advocate for the client, which is prohibited, and permissible tax services is clear. In a sense, all tax services can be considered a form of advocacy. Clearly, Congress decided that providing tax services did not impair an auditor's independence. As the SEC states in the preamble, tax services are unique because there are detailed tax laws that must be consistently applied and the Internal Revenue Service (IRS) has the authority to audit tax returns.15 The individuals who prepare a company's tax returns and assist in developing tax strategies should be able to explain the reasoning behind their work in a proceeding. We think the example provided in the rules needs to be clarified. The example indicates that the formulation of tax strategies is not permissible, but tax planning is permissible. We believe that they are one in the same.
Many banks use their tax return preparer to represent them before the government, including representing them on audit or in procedural matters before the IRS. There is no reason why the tax division of an auditor should not be permitted to justify the company's actions and be available to answer questions as they arise. In addition, tax partners at a company's auditor should be able to participate in efforts to obtain private letter rulings. These requests represent a company's efforts to get needed clarification on how to comply with the tax code.
Issuing tax opinions also should be permissible. A tax opinion merely applies the tax laws to a set of facts and reaches conclusions. The auditor's tax partners should be able to give professional opinions and companies should be able to use those opinions to support their actions. Also, it is difficult to see how there is an impairment of independence when tax professionals associated with the auditor assist in structuring complex tax strategies. We would like clarification that the auditor can continue to provide these services. Requiring companies to obtain standard tax-related services from other third party providers will increase the costs of obtaining these services with no significant benefits.
The rule would require that an accountant is not independent of an audit client when an audit engagement team partner, principal or shareholder performs audit, review or attest services for that issuer or any significant subsidiaries in each of the five previous fiscal years of the issuer or any significant subsidiaries and continues to serve as a partner, principal or shareholder on the audit engagement team. The rotation requirement will apply to the lead partner, the concurring review partner, the client service partner, and other "line" partners directly involved in the performance of the audit. The rotation requirement would not apply to partners assigned to "national office" duties who may be consulted on specific accounting issues related to a client. Once a partner is rotated off the engagement team, the proposal would require that the partner not provide audit services for the audit client for five consecutive years.
We believe that the five-year "time-out" period is too long. The SEC has proposed the five years in order to ensure investors that there will be a periodic fresh look at a company's accounting and auditing issues. A two-year period would seem sufficient to achieve the SEC's goals and would reduce the burden of the rotation requirement on both audit firms and public companies. A two-year period would be a better balance of the interest in having a fresh look at a company's accounting and the benefit of having individuals knowledgeable about that accounting available to the company. If an individual is off the engagement team for any longer than two years, institutional knowledge and familiarity with a company's operations, which is crucial in a regulated industry such as banking, is lost. On a related matter, we request clarification of language in the preamble. The SEC has asked whether the time-out period should be shorter for partners who rotate off an engagement after fewer than five years. The rotation requirement applies after a partner has served the client in "each of the five previous fiscal years." Therefore, we request clarification as to why a time-out period would apply if a partner went off an engagement team after fewer than five years of continuous service.
Including partners, other than the lead and concurring review partner, will add to the disruption that will be caused by the rotation requirement. Therefore, the SEC should follow section 203 of Sarbanes-Oxley and limit the requirement to the lead or reviewing partners. It is particularly unclear why a client service partner would have to be rotated since that partner is not involved in the auditing work directly and oftentimes is the individual that will be able to persuade management that the auditor's opinions are valid and should be followed. If management officials have a long-standing relationship with the client service partner, they will be more likely to respect the partner's opinions and be persuaded to do the right thing.
As an alternative to excluding other partners from the rotation requirement, the rule would be less burdensome if other partners could at least remain on an engagement team for up to seven continuous years. It takes about two years for an auditor to have a complete understanding of a company's operations, which then leaves only three years to apply that knowledge and expertise if the maximum time of service is five years.
Tax partners should not be subject to the rotation requirement. The discussion in the preamble tries to draw a distinction between the partner who may assess the company's tax provision accounted for in accordance with GAAP from those partners that perform tax services for the company, such as tax compliance and tax planning services. In the former case, the tax partner would be subject to a rotation requirement. The rotation requirement would not apply, however, in the latter case. In many cases, the same partner may be performing both types of tax work, and, therefore, the company would lose the benefit of having the same individual perform its tax planning and tax return preparation services. We do not believe that this is the correct result. Tax partners should be treated like other partners who are consulted on specific accounting issues, but are not subject to the rotation requirement.
The rule should not include a requirement that companies engage a forensic auditor to periodically evaluate the work of the financial statement auditor. This could result in significant expense for companies, particularly smaller companies, and would not be necessary in most cases. However, we would support the ability of companies to choose between engaging a forensic auditor or subjecting the audit partners on the engagement team to the rotation requirements. Companies would then be able to choose the option that is most cost-effective and beneficial to their operations.
Under the proposed rule, audit committees will have to pre-approve audit and non-audit services provided by the company's auditor. Clarification about these approval requirements would be helpful. The language of the rule appears to allow pre-approval through policies and procedures of non-audit services, but not audit services. However, the preamble refers to procedures the audit committee uses to pre-approve audit services and, in the discussion of disclosure issues, the preamble further states that proxy statements must include any policy and procedure developed by the audit committee concerning pre-approval of both audit and non-audit services.16 Also, it would be helpful to have clarification of the statement in the preamble that the audit committee also could establish policies and procedures, provided they are detailed as to the particular service.17 It is unclear whether that prohibits the audit committee from developing more broad-based policies and procedures that would allow management to contract for a non-audit service not contemplated by the audit committee in advance. If so, we would support exceptions that go beyond the de minimis exception and that would, for example, allow management generally to enter into contracts for recurring services provided that the audit committee subsequently reviews the contracts.
Communication with the Audit Committee
As required by Sarbanes-Oxley, the auditor would be required to communicate to the audit committee: (i) all critical accounting policies and practices used by the issuer; (ii) all alternative accounting treatments of financial information within generally accepted accounting principles that have been discussed with management, including the ramifications of the use of such alternative treatments and disclosures and the treatment preferred by the accounting firm; and (iii) other material written communications between the accounting firm and management of the issuer.
The SEC has asked whether the auditor should be required to provide this communication in writing. As a result of the corporate and accounting scandals that have occurred, we believe that many auditors will choose to put material information in writing so there is a record of what was reported to the audit committee. We are concerned that a blanket requirement to put all of the required information in writing would lead to voluminous documents being delivered to audit committee members who then may not be able to focus on the critical matters. Therefore, we believe that it might be best to allow each company and their auditor to determine the appropriate method for delivering the information. However, if the SEC does include a requirement that information be in writing, we believe it should be limited to material information.
The SEC also has asked whether the auditor should be required to communicate information on critical accounting policies and practices and alternative accounting treatments to management as well as to the audit committee. ACB believes that the auditor should be required to deliver the information to the chief executive and chief financial officers since these individuals now must certify the information in periodic filings.
ACB appreciates the opportunity to comment on this important matter. If you have any questions, please contact the undersigned at (202) 857-3121 or via e-mail at firstname.lastname@example.org, or Diane Koonjy at (202) 857-3144 or via e-mail at email@example.com.