ERNST & YOUNG LLP
February 18, 2003
Mr. Jonathan Katz
Securities and Exchange Commission
450 5th Street, NW
Washington, D.C. 20549-0609
Standards Relating To Listed Company Audit Committees
(File No. S7-02-03)
Dear Mr. Katz:
We are pleased to comment on the proposed rule to implement the requirements of Section 301 of the Sarbanes-Oxley Act of 2002 ("the Act"). Overall, we support the proposed rule, which we believe is generally consistent with the legislative intent and which will strengthen the role of audit committees with respect to financial reporting and corporate governance.
We have supported initiatives over the past decade to strengthen audit committees. For example, we supported issuance by the Public Oversight Board of its September 1995 report, Directors, Management, and Auditors: Allies in Protecting Shareholder Interests, in response to the Kirk Commission Report, Strengthening the Professionalism of the Independent Auditor. In addition, our former Chairman Philip A. Laskawy served as a member of the Blue Ribbon Committee on Improving the Effectiveness of Audit Committees, whose February 1999 report led to a number of improvements in audit committee practices, many of which Section 301 of the Act has effectively mandated for listed companies.
Our comments below principally relate to two issues. First, the proposed rule extends the audit committee's compensation and oversight responsibilities beyond the engagement of the principal auditor for the audit of the consolidated financial statements and related work required under the federal securities laws, which we believe will burden the audit committee in a manner that does not enhance audit committee oversight of the financial reporting process or promote investor protection. Second, we urge certain clarifications in the rule relating to procedures that audit committees must establish for handling complaints.
Responsibilities Relating to Registered Public Accounting Firms
In implementing Section 10A(m)(2) of the Securities Exchange Act of 1934 (the "Exchange Act"), proposed rule 10A-3(b)(2)(i), Responsibilities relating to registered public accounting firms, states that the audit committee "must be directly responsible for the appointment, compensation, retention and oversight of the work of any registered public accounting firm engaged for the purpose of preparing or issuing an audit report or related work or performing other audit, review or attest services for the listed issuer, and each such registered public accounting firm must report directly to the audit committee." (Emphasis added.) As discussed below, we believe that the underscored portion of the proposed rule broadens the audit committee's responsibilities beyond what Congress intended, and does so without justification.
The Act only imposes responsibilities on a listed company's audit committee with respect to the principal auditor engaged to issue an opinion on the financial statements of the issuer. Further, the scope of those responsibilities should extend only to the engagement of the principal auditor for the audit and the related work required of the principal auditor under the securities laws, namely reviewing interim financial information, reporting on management's assessment of the effectiveness of internal control for financial reporting, and rendering services in connection with statutory and regulatory filings. With respect to other services (i.e., those that would not be disclosed annually by the issuer as "Audit Fees" under, among other things, the recently adopted amendment to Item 9(e)(1) of Schedule 14A), we believe that the audit committee's responsibilities should be limited to the pre-approval of engagements consistent with recently adopted Regulation S-X Rule 2-01(c)(7). Once the audit committee approves such engagements, we do not believe that the audit committee should necessarily be required to be directly responsible for the compensation or oversight of the principal auditor with respect to those services. We believe that it should be left to the discretion of each issuer to determine the extent of the audit committee's responsibilities, beyond pre-approval of the engagement, when the principal auditor is engaged to provide services other than those required under the federal securities laws. Similarly, we believe that each issuer should have discretion in determining the appropriate extent of the audit committee's responsibilities, if any, for services provided by registered firms other than the issuer's principal auditor.
This conclusion is supported by the language in the Act. Section 10A(m)(2) imposes audit committee responsibilities with respect to "any registered public accounting firm employed by that issuer for the purpose of preparing or issuing an audit report." In circumstances where an issuer engages "joint auditors" who each sign the audit report, the audit committee's responsibilities would extend to each of those firms. Otherwise, we do not believe that the Act contemplated extension of the audit committee's responsibilities to other firms engaged to audit subsidiaries of the issuer (whether or not the principal auditor expresses reliance on the work of those auditors) or to other registered public accounting firms who may provide assurance services to the issuer.
Moreover, with respect to the reference in Section 10A(m)(2) to "audit reports and related work," Section 2(a)(4) of the Act defines "audit report" as a document in which the firm sets forth an opinion or disclaims an opinion, prepared following an "audit" performed for purposes of compliance by an issuer with the requirements of the federal securities laws. Further, Section 2(a)(2) of the Act defines "audit" as an examination of the financial statements of any "issuer" by an independent public accounting firm in accordance with the rules of the Public Company Accounting Oversight Board or the SEC (or applicable generally accepted auditing standards). Further, Section 2(a)(7) of the Act defines "issuer" as a company that is required to file reports with the SEC or that has filed, and not withdrawn, a registration statement with the SEC. Thus, under the Act's definitions of the relevant terms, we believe it is clear that the scope of Section 10A(m)(2) is limited to a parent company's principal independent auditor engaged to audit and issue an audit report on its consolidated financial statements filed in its SEC annual report. This interpretation would be consistent with other aspects of the Act. For example, it is our understanding that Section 202 of the Act, as well as the SEC's final rules on auditor independence, only requires the audit committee to pre-approve audit and non-audit services provided by the issuer's principal independent auditor. Also, the existing and amended requirements to disclose fees billed is limited to the issuer's "principal accountant."
In addition, we believe that the reference in Section 10A(m)(2) to "any registered public accounting firm employed by that issuer for the purpose of preparing or issuing an audit report or related work" (emphasis added) contemplates only services that the federal securities laws require the issuer to engage its principal auditor to provide. In this context, "related work" would be limited to reviewing interim financial information (as required by Regulation S-X Rule 10-1(d)), reporting on management's assessment of the effectiveness of internal control for financial reporting (as will be required by SEC rules adopted under Section 404(b) of the Act), and rendering services in connection with statutory and regulatory filings (such as consents that are required under Section 7(a) of the Securities Act of 1933). In our view, the "related work" for which the audit committee must have complete oversight responsibility would be those services included within the disclosure of "Audit Fees" in the issuer's SEC annual report. For example, we do not believe that the audit committee's responsibilities should be required to extend to other "work" performed by the principal auditor, such as tax work, that is not directly related to the reports required to be rendered by the principal auditor under the securities laws.
The proposed rule would extend the audit committee's responsibilities to include all assurance services provided to the issuer by its principal auditor, as well as assurance services provided by a registered public accounting firm other than the principal auditor. We do not believe that such an expansion of audit committee responsibilities is necessary for the protection of investors, nor do we believe that the proposed requirement could be practically implemented in all cases. There are a variety of other assurance services for which an issuer may decide to engage its principal auditor. For example, management of an issuer may decide to engage the principal auditor to report on the application of agreed-upon procedures in a restricted distribution report, or to provide reports under Statement on Auditing Standards (SAS) 70, Reports on the Processing of Transactions by Service Organizations. While these services may be "audit-related" services, we do not believe that the audit committee should be made directly responsible for oversight of them. We are concerned about imposing too many new responsibilities on the audit committee. The audit committee has enormously important obligations with respect to oversight of the issuer's consolidated financial reporting, including the new responsibilities required by the Act, and piling on other responsibilities would detract from that central task.
Accordingly, we recommend that the Commission not extend the rule's reach beyond what was intended by the Act. That is, the final rule should clarify that the audit committee's responsibilities related to appointment, compensation, retention and oversight apply only to the issuer's principal accountant. We believe that the board of directors should have the discretion to establish the scope of the audit committee's responsibilities with respect to appointment, compensation, retention and oversight of (1) services rendered by the principal auditor other than those required under the securities laws, and (2) any services provided to the issuer, its subsidiaries or affiliates by other registered public accounting firms.
We also are concerned that the proposing release may create confusion as to the scope of the audit committee's responsibilities and related processes. Recently adopted Regulation S-X Rule 2-01(c)(7) provides that the audit committee is able to establish policies to pre-approve the issuer's engagement of its principal auditor to perform particular services or categories of specific services, and to be informed as to the individual services performed on a timely basis. Although not explicitly provided for in the language of proposed rule 10A-3(b)(2)(i) or recently adopted Regulation S-X Rule 2-01(c)(7), the proposing release states, "the audit committee would need to have ultimate authority to approve all audit engagement fees and terms, as well as all significant non-audit engagements of the independent auditor." (Emphasis added.) We are concerned that the reference to "terms" in the proposing release may cause some persons to infer that the audit committee must execute the contractual "engagement letter." Accordingly, the Commission should clarify that while the audit committee may have such ultimate authority, the Commission is not suggesting that the audit committee must, or even should, review and approve the terms of individual engagements, or execute engagement letters.
Procedures for Handling Complaints
In implementing Section 10A(m)(4) of the Exchange Act, proposed rule 10A-3(b)(3), Complaints, proposes to adopt verbatim the language of the statute. The proposing release conveys the Commission's decision not to prescribe specific procedures that the audit committee must establish, but rather to allow audit committees flexibility to adopt procedures appropriate for their circumstances. We concur with the Commission's approach. However, we do believe it would be helpful for the Commission to clarify that, while the audit committee is responsible for establishing procedures regarding complaints, those procedures could be executed by the issuer's employees (e.g., internal audit personnel, legal department personnel).
We also are concerned that the language of the proposed rule may be interpreted to restrict the independent auditor's access to complaints received by the issuer's audit committee. We are particularly concerned that the required procedures for "confidential and anonymous" communications from employees should not preclude the auditor's ability to assess such communications in determining the nature, scope and extent of its audit procedures and in reaching its opinion. We believe that the independent auditor should have unfettered access to any complaints received by management, the audit committee or the board, provided such access protects the anonymity of persons making confidential submissions. Accordingly, we believe that the SEC's adopting release should state that the audit committee's procedures should contemplate sharing with the independent auditor the nature and treatment of complaints received, and those procedures should not preclude the independent auditor's access to complaints, provided the sources of anonymous complaints are protected.
Proposed rule 10A-3(b)(3)(i) would require the audit committee to establish procedures regarding complaints about, among other things, "internal accounting controls." We believe that, for the purposes of this rule, the term "internal accounting controls" in the statute should be interpreted to be broader than "internal controls over financial reporting" (as discussed in the SEC's proposing release, No. 33-8138, to implement Section 404 of the Act) or "internal accounting controls," as defined in Section 13(b)(2)(B) of the Exchange Act. Instead, in the context of complaints, we believe that "internal accounting controls" should be interpreted consistent with the definition of "internal control" of the Committee of Sponsoring Organizations ("COSO") of the Treadway Commission's report, Internal Control - Integrated Framework, and under Generally Accepted Auditing Standards (GAAS) AU Section 319. Specifically, we believe that the audit committee's procedures regarding complaints should encompass complaints regarding compliance with laws and regulations, one of the aspects of the COSO and GAAS definitions of internal control. Accordingly, we recommend that the SEC's adopting release clarify that the scope of rule 10A-3(b)(3)(i) includes the internal control objective of compliance with laws and regulations, unless the issuer has established a qualified legal compliance committee (as defined in Section 205.2(k) of the recently adopted "Standards of Professional Conduct for Attorneys Appearing and Practicing Before the Commission in the Representation of an Issuer") that has corresponding procedures to receive, retain and treat complaints about the issuer's compliance with laws and regulations from both attorneys and others.
In implementing Section 10A(m)(6) of the Exchange Act, proposed rule 10A-3(b)(5), Funding, would require that listed issuers provide for appropriate funding, as determined by the audit committee, to compensate outside advisers engaged by the audit committee and "any registered public accounting firm engaged for the purpose of preparing or issuing an audit report or related work or performing other audit, review or attest services for the listed issuer." (Emphasis added.) For the same reasons as stated above, we believe that the proposed rule should be modified to make clear that the audit committee is not responsible for determining the compensation of the issuer's principal auditor for services that are not required under the securities laws (although, under the newly adopted auditor independence rules, the audit committee is required to pre-approve all services provided by the independent auditor, and the pre-approval process will likely include review of the fees relating to such services). In addition, the rule should make clear that the audit committee is not responsible for determining the compensation of any other registered public accounting firm (except when the audit committee specifically engages such firm as an adviser). That is, the audit committee should only be responsible for determining the appropriate funding to compensate the principal auditor for billings that would be reported as "audit fees" in the issuer's SEC annual report. In addition, in order to avoid potential confusion, the Commission should make clear that while the audit committee is responsible for determining the appropriate funding, the actual payment of funds could continue to be made by an authorized corporate officer.
In response to the SEC's specific request for comment on whether the board of directors should be allowed to establish a limit on the amount of funding that the audit committee could request, we do not believe such a limit would be consistent with the provisions or intent of the Act. In our view, the Act is clear that decisions related to the compensation of an issuer's principal auditor, and any other advisors retained by the audit committee, are the sole purview of the audit committee, subject to normal oversight from the board of directors and consistent with their fiduciary duties.
Identification of Audit Committee in Annual Reports
We support the proposed audit committee disclosure requirements in annual reports, which we believe will emphasize the important role that the audit committee plays in the financial reporting process. In addition, although the proposed disclosure could be provided in a subsequently filed proxy statement, we believe that the effective date of the required disclosure should be the filing date of the annual report. As the audit committee discharges a significant portion of its responsibilities as of the date of issuance of the company's annual audited financial statements, we believe it would be in the interests of investors to know as of that date whether a company had a separately designated audit committee, who its members are, and whether the issuer is relying on any exemptions from the SEC rules.
* * * * *
We would be pleased to discuss our comments with the Commission or its staff at your convenience.
Very truly yours,
/s/ Ernst & Young LLP