Office of the Chief Accountant:
April 2001 Letter to the Public Oversight Board on Quality Controls Over Auditor Independence
April 9, 2001
Mr. Charles A. Bowsher
Public Oversight Board
One Station Place
Stamford, CT 06902
Dear Mr. Bowsher:
During the past three years an alarming number of deficiencies and in some cases outright lack of quality controls within the accounting profession with respect to auditor's independence have been brought to the attention of the staff. Pursuant to our earlier conversations, attached is a list of our general observations regarding the firms' quality controls over auditor independence.
We believe that rigorous testing and robust reporting on these essential quality controls by the Public Oversight Board will provide the investing public with greater insight into the progress the profession has made in improving their quality control systems since our initial communication in November 1998. No doubt the profession has made progress in the past year as evidenced by the SEC Practice Section's implementation of new membership requirements. Further, we have seen examples where individual engagement partners are taking a very active role in ensuring that independence is maintained.
It is important that the public understand the status of the implementation of the quality controls specified by the SECPS membership requirements, the Look-Back Program and the final independence rules adopted by the Commission.
As we have discussed, the voluntary Look-Back Program requires the POB to issue two reports. The first is on the design and implementation of the quality controls specified by the terms of the Program as of December 31, 2000. The second report is on the effectiveness of the operation of those quality controls for the period from January 1, 2001 through June 30, 2001.
The staff would be pleased to meet with you and your staff to discuss our observations.
Lynn E. Turner
cc: Jerry Sullivan
OBSERVATIONS ON AUDITOR'S INDEPENDENCE
It is important that the engagement partner take an active role in ensuring compliance with the independence rules including the identification of instances of noncompliance. We have observed that those partners who actively manage this part of their engagements usually are able to identify problems and resolve them proactively. Those who do not may cause a significant and difficult issue for their client and investors. As such, the engagement partner serves as a key control in this overall process.
The firms need to provide their personnel with the proper tools to ensure compliance with the independence requirements. As discussed in greater detail below, this will include but may not be limited to such things as:
- Plain English policies and procedures that are documented and provided on both a national and international basis.
- Timely communication of relevant information to all partners and employees.
- Where feasible, use of technology such as web sites to facilitate education and communication.
- Worldwide independence list.
Policies and Procedures
The staff has noted that written policies and procedures do not always cover in-depth:
- An international global policy
- Engagement specific guidance
- Non-audit service guidance
- Guidelines for coordination and communication on an international scale
We have noted that the central independence function often lacks adequate staffing both within the "national" office and within the "International" firm. Specifically, we have noted significant and large variations in the number of personnel assigned to this important function between the firms. This raises the question of whether each of the firms are equally committed to ensuring compliance with the independence rules.
Examples of areas where concerns exist include:
- A lack of an adequate budget to support the function in the U.S.
- A lack of budget to support the function within the International firm as well as foreign affiliates.
- The independence function is viewed as an "unattractive" assignment and its importance is not emphasized.
Ongoing training develops an awareness and culture within the firms while providing professionals with the requisite knowledge to comply with the rules. The following are examples of breakdowns in the systems that support or oversee the training function:
- A lack of ongoing communication from each of the Senior Executives within the firm, the leaders of Industry Programs and Senior Partners responsible for Product Service Lines to the partners and employees within the firms regarding the importance of compliance with the independence rules of the SEC, profession and the firm.
- A lack of initial substantive training programs for new employees joining a firm.
- A lack of substantive annual ongoing training programs for employees and partners. Such training needs to cover all of the rules set forth by State Boards of Accountancy, the AICPA, the SECPS, the ISB, the SEC and the firm. The training needs to cover all aspects of the independence rules including professionalism and ethics, scope of services, investments, and fee arrangements.
Internal Monitoring and Testing
Part of an adequate system of controls includes a substantive, continuous and effective program that will re-enforce the importance of compliance with the rules as well as identify instances of non-compliance. The following are examples of deficiencies that the staff has noted in firms current systems:
- A lack of testing of compliance with the investment rules by both individuals and the firm.
- A lack of testing of compliance with the scope of services rules by both the firm and individuals on audit engagements during the internal inspection process.
- A lack of follow-up on annual confirmations to ensure (1) they are all received, (2) are complete and respond to all questions, and (3) any exceptions are resolved on a timely basis.
- Lack of a clearance process for new hires and admissions of partners and managerial level personnel.
The following are examples of breakdowns in the treasury function that the staff has observed and believes should be considered in the quality control systems at the firms.
- A lack of initial and ongoing training of treasury personnel on the investment section of the independence rules.
- A lack of written policies and procedures for determining investments are not prohibited.
- A lack of segregation of duties. That is, no one within the treasury function is designated as the person responsible for ensuring compliance with the independence rules.
- Initial and ongoing communications to outside investment brokers about the importance of auditor independence are lacking or insufficient and do not provide a list of prohibited investments on an ongoing and timely basis.
- Testing of purchases by outside investment brokers does not exist or fails to identify on a timely basis prohibited investments.
The following are examples of observations the staff has made that either contribute to or have resulted in problematic, if not inappropriate fee arrangements:
- The staff has identified inappropriate contingent fee arrangements.
- Consulting personnel enter in oral or written side letter arrangements with audit clients that are prohibited and designed to get around the "formal" written fee arrangements.
- A lack of adequate training of personnel outside of the audit function related to acceptable and unacceptable fee arrangements on an ongoing basis.
- Engagement partners do not understand inappropriate fee arrangements entered into by other service lines or even worse, are not made aware of them.
- Engagement personnel do not report prohibited fee arrangements that have been identified to the national office on a timely basis.
- A lack of clear guidance on what constitutes a prohibited contingency fee and commission. We have seen internal guidance that labels some of these fees as "value added" fees and thereby try to skirt the rules. However, the substance of the fee arrangement and perhaps even the discussion with the client involved a prohibited contingent fee or commission.
Global systems designed to safeguard against the provision of prohibited non-audit services and investments have failed to identify instances where the provision of those services would be a violation of the SEC's independence rules. The following are examples of observations the staff has made:
- Situations where foreign affiliates are providing prohibited services such as bookkeeping, executive search or legal services.
- A lack of procedures to ensure timely reporting to international affiliates of the list of SEC registrants for which independence should be maintained.
- A lack of a procedure requiring foreign affiliates who provide services to an SEC registrant to confirm to the lead engagement team their independence and compliance with the applicable rules.
- Notification from the lead engagement team to foreign offices notifying them of the need to comply with all of the independence rules and requesting confirmation of that fact are not done on a timely basis (i.e., before significant audit work is undertaken).
- A lack of confirmation back from all international affiliates performing work for an SEC audit client, PRIOR to substantive work being performed, of their independence.
- A lack of a process or procedure for identifying all foreign affiliates, including those not performing audit services that are providing services to an audit client.
- A lack of substantive initial and ongoing training on the applicable independence rules by foreign affiliates.
- Inadequate staffing and empowerment of independence personnel within the international firm and its foreign affiliates.
- Inadequate communication and coordination among those responsible for independence matters both on a national and international basis.
ISB No. 1 Letter
We have seen examples of violations that were not reported to the audit committee in the ISB No. 1 letter. In particular, we have seen firms deem a violation, (e.g. bookkeeping) a technical violation and therefore in the judgment of the firm, such a violation did not impair their independence and was not required to be reported as a violation to the audit committee. As the Commission reiterated in its recent release on auditor's independence, we believe all violations of the rules must be reported to the audit committee in the ISB No. 1 letter. Otherwise, the audit committee will be unable to adequately consider all the relevant facts.
Further, we have observed that the relationships set forth in the ISB No. 1 letter do not reconcile to the relationships and fees set forth in proxy disclosures made by a registrant. For example, an international registrant may have incurred fees for prohibited bookkeeping or legal services from an international affiliate that are not set forth as such in the ISB No. 1 letter and noted as prohibited services. The SEC staff has strongly urged audit committees to request that the Company's proxy disclosures be reconciled to the disclosures in the ISB No. 1 letter.
The staff has observed situations where engagement and national office personnel devise rationales as to the appropriateness of providing certain non-audit services. Usually this includes a rationalization of why a prohibited service that has been provided or may be provided does not impair the auditor's independence and therefore an independent opinion can still be issued.
As part of the "rationalization", the auditors may get a short letter from their client stating the audit client was taking responsibility for management type decisions. However, there was not a clear understanding of this point up front with the client. We have had numerous financial management personnel tell us that yes, they signed the letter, but in reality it was the audit firm's personnel who were making the decisions and coming up with the results and numbers.
The staff has observed situations where firms' lack a process whereby both the engagement partner and national office are notified of and clear all business relationships entered into with an audit client (e.g., joint ventures, marketing of a client's products, etc.). Also, it appears audit firm personnel, especially non-audit personnel, were not aware of the prohibitions on business relationships with clients.
Disciplinary Process and Sanctions
A functioning, meaningful disciplinary process does not exist in many firms. Too often when an issue has been appropriately brought to our attention the staff has asked what disciplinary action has been taken and the response is none. Human behavior is such that if individuals believe there is no sanction for a violation, then there is a lack of discipline of compliance.
There are no established guidelines for the disciplinary process and determination of what actions are to be taken given different types and severity of noncompliance with the applicable rules. As a result discipline may not be evenhanded and substantive among the various staff and partners in the firm, including the senior partners and executives who have a leadership role in this process.
As noted in one of the recent peer reviews, it appears the national offices in some cases try to "justify" why an independence violation has occurred as opposed to making an appropriate determination of whether or not a violation has occurred. Accordingly, the staff has observed instances where the national office has failed to recognize and address clear violations of the rules. The staff observations include:
- National office labels a violation as a "technical" violation that does not prohibit the auditor from expressing an independent opinion on the financial statements. This is extremely disturbing when such a violation has been identified before substantive audit work has been performed but the firm "rationalizes" the violation and remains as the independent auditor.
- Engagement and other partners and personnel do not consult with the national office on independence matters on a timely basis.
- A lack of documentation of conclusions reached and the basis for those conclusions when consulting is undertaken.
- The internal inspection program or other quality controls do not test to determine if consultation on independence matters was appropriately followed.
The Fardella report identifies quality control deficiencies that we have observed in a number of instances across the profession. All of those control deficiencies should be examined and tested including but not limited to the following:
- Prohibited investments that are identified are not disposed of in a timely basis. In some cases, there was a lack of timely follow up by the national office to ensure that the prohibited investments were disposed of.
- Inadequate identification, reporting and testing of investments made by senior partners and executives within the firm.
- No testing of compliance by individuals within the firm, nationally or internationally.
- The posting of new clients to client lists was not done in a timely manner.
- The dissemination of updated client lists to all personnel within the firm was not done on a timely basis.
Employment with Clients
The following are examples of control breakdowns that the staff has noted with respect to employment relationships:
- Lack of a written policy setting forth clear requirements for disassociating from involvement with a client, on an immediate basis, once any negotiations or discussions with that client commence.
- Lack of written policies governing steps to be taken when a member of an engagement team takes a job with a client.
- Lack of pay-out of partners of their financial interests in a firm when they leave and commence employment with a client.
- Lack of a formal written policy requiring the audit engagement work performed for a client who has hired one of the engagement personnel be reviewed by an independent reviewer.
- A lack of a requirement for peer review and/or internal inspection programs to include these types of situations in the sample of engagements tested.
- Lack of clear policies and guidance for partners, especially executive level partners in the firm, when they retire as to what relationships they can establish with clients of their former firm.
Communications with Clients
Communications with the audit committee and client management tend to be done through "form" letters as opposed to a robust and in depth discussion of the issue. SECPS-mandated disclosures were not always transparent. Insufficient time is devoted to the subject during meetings with the audit committee.