Tagore von Hayek, Chairman
The Center for Investor Trust
Boston, MA 02163
January 13th, 2003
Mr. Jonathan G. Katz, Secretary
U.S. Securities and Exchange Commission
450 Fifth Street N.W.
Washington, D.C. 20549-0609
Re: File No. S7-49-02; Strengthening the Commission's Requirements Regarding Auditor Independence
Dear Mr. Katz:
We appreciate The Commission's invitation to comment on the Proposed Rules relating to: Strengthening the Commission's Requirements Regarding Auditor Independence. We, as most investors, fully support the Commission's recent efforts to strengthen investor confidence by strengthening and clarifying the rules regarding auditor independence.
We have several comments that we respectfully submit to the Commission for its consideration. For each of the major topics for which we have comments we have provided a detailed exploration and analysis of the ideas, concerns, and principles that should be considered in order to restore investor trust and confidence in the capital markets. Exhibit A contains more analysis and some responses to some of the questions the Commission asked in the proposed rules.
The following is a brief table of contents to the comments and analysis contained in this letter.
Table of Contents:
Introduction and Background
Performing Internal Audit Services
Assisting Management in Designing Internal Controls
Pre-approval of Service & Disclosure of Fees Paid To Accountants
We appreciate the Commissions hard work and efforts to consider the public comments. We respectfully submit the ideas contained herein for the sole purpose of promoting the interests of the individual investor.
Introduction and Background
The Center for Investor Trust
First, I would like to introduce to the Commission, and others, The Center for Investor Trust. We are a private organization committed to promoting investor confidence and trust. Our goal is to build awareness of issues that are important to individual investors. This is accomplished by promoting awareness to of potential conflicts of interests which may undermine individual investor's efforts to compete fairly in the capital markets and other education-base initiatives. Understanding the conflicts inherent in today's complex capital markets is necessary in order for investors to be able to compete fairly and equitably. We are completely supported by donations and the volunteer efforts of our members and supporters. We represent the views of no other organization.
Representing the Voice of the Individual Investor
Individual investors, including employees who hold money in company sponsored 401(k) plans, have the right to fair and accurate disclosures. They have the right to be represented by Boards of Directors who take their responsibilities seriously and who at all times independently and fairly represent the rights and interests of the shareholders. They also have the right for their duly elected Independent Auditors to fully and completely represent their interests by maintaining the utmost integrity in their capacity as an Independent Auditor. The Independent Auditors must be held strictly accountable to the Shareholders and the Board of Directors who represent the Shareholders.
There needs to be checks and balances within the corporate governance system, similar to the three branches of government, in order to protect the interests of investors, employees, and even the corporations themselves. We hope the commission will give considerable weight to the voice of individual investors as they consider our comments and recommendations.
The Loss of Professionalism in the Accounting Industry
In recent years the accounting industry has lost their independence and accountability to the Board of Directors and Shareholders of the companies who employ them. They have become agents of management, trading their independence and objectivity in the pursuit of revenue and financial gain.
During the past year the public has received a small insight into the inner-workings of these large accounting firms. Investors have witnessed how corrupt the accounting profession can be as professionals ignore their responsibilities in order to develop lucrative financial relationships with their clients. They have engaged in providing a smorgasbord of various services that go well beyond their primary duty to provide an independent audit of the financial statements.
Despite the industry's "pleas of innocence" and professed "independence," it is clear that there is so much money on the table that if necessary they will engage in criminal conduct to protect their personal interests. This was most recently evident as Arthur Andersen went out of business in the wake of a federal indictment and conviction for their felonious and blatant disregard for the public's trust at Enron. They engaged in the overt act of shredding documents to impede a federal investigation and to protect their own interests. Many have commented, "their only mistake was that they were the one's who were caught." The industry has lost it's professionalism.
Existing research shows that the accounting profession has undergone a tremendous change as a result of their efforts to provide other professional services to their clients. The percent of Certified Public Accounts within each firm has declined significantly from 1989 to 2001. Forbes reported in their November 11th, 2002 (page 52) issue, that the number of Certified Public Accountants has decreased on average from 49% to 35% from 1989 to 2001. They noted that only 16% of Arthur Andersen's Houston Office held the CPA designation in 2001 (down from 40% in 1989). No wonder Enron happened!
The Forbes article noted that "the drones who actually look at the books are often non-CPAs trained over six or eight weeks to fill in the blanks on standardized forms." Other reports indicate that from 55% to as much as 65% of the large accounting firm's revenue is generated from "non-audit" related services. These numbers are also up substantially from 10 years ago. The result of these trends is that the accounting industry has moved in a direction of which has compromised their independence with their audit clients. Their primary responsibility to act as independent auditors has been moved to the back-burner in order to pursue more lucrative business opportunities, such as tax, security, healthcare and other special projects.
Scope of Comments
It is time to restore investor confidence and trust in the capital markets. It is time to restore professionalism into the accounting industry. The Commissions proposed rules are a first step in that direction. Some of the proposed rules may in fact not be sufficiently clear to provide the guidance necessary to ensure that the independent auditors restore faith in their profession. The final rules must be sufficiently clear so as to strengthen independence and, if necessary regulate, the profession. Only then will trust be restored in the Independent Audited Financial Statement's of an issuer.
The Commission clearly has the authority to exercise it's administrative power to regulate necessary reform. Congress and the Senate clearly authorized the Commission to enact additional rules that would be necessary to restore public trust and enforce the intent of the Act. They obviously trust that the Commission has the authority, expertise, and knowledge to implement the Act through additional rule-making.
Our comments are designed to address and highlight concerns where the proposed rules may not be sufficiently clear so as to achieve the stated objectives and intent of the Act. These comments are focused on 3 primary areas:
- Performing internal audit services
- Assisting Management in Designing Internal Controls
- Pre-approval of Services & Disclosure of Fees Paid To Accountants
Our comments and analysis are designed to provide individual investors, the Commission, and Audit Committee members with an independent and objective perspective in dealing with these complex and important matters. Most of the other deliberative thoughts presented thus far represent the perspectives of constituents who have significant self-interests in the outcome of the proposed rules. Hopefully, the analysis and recommendations raised here will provide constructive and productive ideas to deal with some of the serious issues that continue to threaten the future of our capital markets and the accounting industries independence.
Our focus is intended to restore investor trust and confidence in the audited financial statements upon which individual investors rely to make accurate, timely and informed decisions. Security analysts who issue opinions and advice to individual investors also use these financial statements and must be able to rely upon the objectivity and independence of the auditor providing an opinion on the accuracy and truthfulness of the content.
It is imperative that as a class the individual investor's of America can once again gain comfort in the financial statements of the companies with which they are investing. These are matters of tremendous importance. The deliberations and decisions of the Commission, as they institute final rules, are paramount to achieving effective reform.
Much of the market-losses in 2002 could probably be attributed to the ineffective performance of the trusted gatekeepers of corporate financial statements - the auditors. We learned from Enron and other now infamous cases that the auditor's had long since sold-out their position as a trusted independent agent. They failed to maintain an important public trust. The result was landmark legislation designed to reform corporate governance and the role and activities of the independent auditor. The recommendations and suggestions that follow will provide the Commission and Audit Committees with worthwhile thoughts as they seek to adopt new rules and policies to reign in the abuses of the late 1990's.
Performing Internal Audit Services
The proposed rules raise several questions about when an independent auditor can perform additional internal audit services for their client. The rules allude to the inherent conflicts that arise when a firm engages their independent auditor to perform internal audit services. These concerns are legitimate and should be taken seriously in order for the auditors to achieve the independence and objectivity that is expected, and indeed required, by the shareholders of a company.
There has been some discussion about whether performing limited, discrete, non-recurring internal audits would impair the auditors independence. It does and will. Therefore a more stringent view in the definition of proscribed services should be constructed as the Commission seeks to adopt final rules.
The Commission has properly adopted a position that external auditors should be prohibited from performing internal audit services for those SEC registrants for whom they are the Independent, or external, Auditor.
A Definition of Internal Audit Services
Internal auditors (and therefore internal audit services) generally perform two primary functions within an organization; first they are responsible for providing analyses, evaluations, assurances, recommendations, and other information to the entity's management and Board of Directors. Second, internal auditors monitor the performance of an entity's internal control environment. In performing these duties they are in fact part of the management of the organization. They are part and parcel to the operations of the entity. We recommend that the Commission adopt the above description as a definition for internal audit services.
Professional standards for internal auditors require them to maintain "objectivity" in the performance of their work. When monitoring the internal controls of an organization an internal auditor must maintain a degree of independence according to the Professional Standards for Internal Auditors. When the external auditor engages in activities typically performed by internal audit, they are in essence performing a management function and taking on a management responsibility within an organization.
Some commentators have suggested to the Commission that the rules should not use the phrase "internal audit services" but rather "internal audit outsourcing". The logic being that perhaps some internal audit services should in fact be allowed. The idea that some companies do not have an internal audit function, or do not have sufficient skills to audit highly complex areas (such as Information Technology for example) will benefit by having their Independent Auditors perform these functions is absurd.
These subtle word differences can be very misleading. The current definition prohibiting "internal audit services" is sufficient and the commission would be well advised, as would audit committees, to carefully question any wording changes designed to be less restraining. This thinking is very misguided and has the potentially for tremendous abuse.
The notion that because a company lacks sufficient resources internally to discharge their responsibilities related to internal controls and should therefore engage their external auditors is unacceptable. If Companies do not have the resources internally to maintain an effective internal control environment, they should not hire their independent auditors to assist them in developing that function. Rather they should train their existing resources, hire appropriate qualified individuals, and/or engage another professional services firm to assist them with this function. There are plenty of other well-qualified service providers and other avenues by which a company could secure assistance. To suggest that the independent auditor is somehow in a unique position to assist them only highlights the potential incestuous nature of such a relationship.
The External Auditor's Relationship and Role to Internal Controls
The Independent Auditor, is already required (under AU Section 319, Consideration of Internal Control in a Financial Statement Audit " to consider the internal control environment in determining the nature and scope of the financial audit procedures. Therefore, they should not also be engaged in activities that are essential and critical to the performance, management, operation or execution of that function within a Company they also audit. To do so, would create a clear conflict of interest for the Independent Auditor and would likely impair their independence with respect to that particular Company.
When an auditor engages in special projects for their client they are essentially taking on a duty of management. It is management's responsibility to assess and monitor the internal controls of the entity. Under the new rules and as suggested in the Act this point is very clear. The spirit of the law was to hold management accountable for maintaining effective internal controls within their organization. If an independent auditor performs any internal audit services for their client they in effect are in violation of Proposed Rule 2-01(c)(4)(vi) which provides:
"...that an accountant's independence is impaired with respect to an audit client for which the accountant acts, temporarily or permanently, as a director, officer, or employee of an audit client, or performs any decision-making, supervisory, or ongoing monitoring functions for the audit client."
When an external auditor assists with the evaluation of internal controls or in-depth analysis on how to improve the internal control environment, beyond their primary duties and responsibilities associated with the financial statement audit, they are in fact acting temporarily as an employee of the audit client and assisting in an ongoing monitoring function. That is what internal auditors and management does. The external auditor's would be engaged in an activity that should be strictly within the purview of management. They would also impair their independence with respect to that particular client.
A Case Study in the Impairment of Independence
Consider a likely engagement; the Vice President of Customer Service decides that she would like to improve collections and billing accuracy at her new call center. The Company decides to hire the external auditors to perform this function because they have some unique skills that would be helpful in assessing and making recommendations around this business process. They also would like to make sure that the processes incorporate appropriate controls and would like the auditor's "recommendations" in this area. This is a discrete, non-recurring, event and the non-audit service fees are estimated at approximately 25-35% of the standard audit fees.
Would this be allowed?
If the accounting firms were to have their way, the answer is absolutely. In fact, they might even suggest, as PriceWaterhouse so clearly stated in their comment letter:
This activity clearly violates the principles outlined by the Commission. But, it also places the independent auditor in the unique role of ultimately auditing their own work. They have taken on a key responsibility of management and their independence and objectivity would, and should, be subject to tremendous scrutiny. The need to restore trust in our capital markets far outweighs the need and public benefits achieved by allowing accounting firms to "up-sell the audit".
Many are likely to suggest that the example above be dismissed in order continue their argument that having auditors engaged to assist in matters related to internal controls is in fact somehow desirable. PriceWaterhouse may be right that it would be more "cost-effective." But, they are wrong to suggest that this would not represent a serious threat to their independence or objectivity. The external auditors have no business providing these types of services to their audit clients.
Having auditors assist with internal controls because there is some perception that this is "their turf" and something they alone are uniquely qualified to perform is simply bad policy. This is no more or less egregious then having the independent auditors assist with other key duties of management, such as assisting in providing recommendations for the improvement of the financial close process, or supervising treasury operations, or making recommendations on improving general ledger postings. It would be inappropriate to have an independent auditor engaged to assist in these "non-audit" services. Existing professional standards clearly forbid such behavior.
However, if the proposed rules were to stand, the accounting firms could argue that their participation in such activities is not only allowed but even encouraged and sanctioned by the Commission. Allowing these services creates the potential for abuse and in many cases would impair independence. There is no reason a company could not effectively engage the services of a second firm if such work truly needs to be performed by an outside party. Arguments suggesting that it would be more "efficient for the external auditor to play such a role should be dealt with great skepticism. Would it be more "efficient," for the client? Or, would it be more "economically advantageous," to the firms performing such services? The appearance and need for independence far outweighs these arguments. In order to strengthen auditor independence black and white rules are essential.
Recommendation for Effective and Meaningful Reform
For an Independent Auditor to engage in internal audit related activities (whether discrete or non-recurring in nature) should be strictly prohibited. Not to do so, will create the potential for abuse and would likely place the auditor in the uncomfortable position that they would have to audit their own work. Even if an individual project were of such a discrete and obscure nature that it did not in fact impair the auditors independence the likelihood that it could impair an auditor's objectivity and the appearance that it could impair independence should be sufficient reasons not to permit such services from being performed.
The Commission should seek to make the final rules so apparent and obvious that these types of "services" are strictly forbidden. Failure to do so will allow the accounting firms to creatively interpret the rules for their own pecuniary benefit and place at risk the interests of the shareholders.
Assisting Management in Designing Internal Controls
Under the section entitled "management functions", the Commission has clearly set forth that an accountant's independence would be impaired with respect to an audit client where the accountant engages in certain activities normally deemed to be the responsibility of an employee or management of a company. However, the commission also suggests that:
...obtaining an understanding of, and assessing the effectiveness of, and recommending improvements to the internal accounting and risk management controls is fundamental to the audit process and does not impair the auditor's independence.
These two statements appear somewhat contradictory and could potentially be used, or misinterpreted, to create situations that threaten the perceived the independence of the external auditor.
Distinguishing Between Financial Audit Engagements and Projects to Assist with Internal Controls
It is absolutely true that independent auditors need to obtain an understanding of and assess the effectiveness of the internal control environment as they plan and perform a financial statement audit. Professional standards dictate as much and this is in fact required as part of a GAAS audit. The purpose of such activity is generally intended to assist the audit team in effectively planning their audit procedures and executing their audit strategy. In the course of performing their duties as an independent auditor they are likely to make recommendations and suggestions to management on observations and experiences. These may ultimately assist the client in improving their financial and operational controls. By no means, should the rules prohibit, or otherwise restrict, such constructive activities from occurring.
On the other hand, the proposed rules suggest that it may also be desirable for clients to engage their independent auditors to perform additional services designed to assist the "audit committees and management, [with] ways in which their audit client's internal controls can be improved or strengthened." The rules further state that "these services can be extremely valuable to companies, and they may also facilitate the performance of a high quality audit." Promoting this type of activity seems to contradict the very principle that the internal controls are management's responsibility and something that should be examined by the auditors in considering the internal control environment as part of an audit.
Obviously, if one has participated in a special project aimed at assisting an organization in "diagnosing, assessing, and recommending" improvements to the design and implementation of internal controls they cannot logically be construed to be independent, in either fact or appearance, in latter evaluating the internal controls as part of the financial statement audit. Their objectivity would likely be obscured for obvious reasons. Suggesting otherwise is disingenuous and irresponsible.
The Commission also states:
These statements will likely be misinterpreted and deliberately misapplied to the detriment of the individual shareholders and the public good. If misapplied, or otherwise misconstrued, they would effectively undermine the very objectives that they are intended to address. It appears from the Commission's commentary that they intend to suggest that as part of a financial audit an auditor would engage in activities designed to diagnosis and assess the internal controls of an entity. Observations or recommendations derived from such activity could be, and in fact should be, provided to management for their consideration in improving the internal control environment of their organization.
However, the commentary also suggests that the independent auditors could, and possibly should be engaged to perform extended internal control related procedures, or special projects. The purpose of such an activity would clearly be to help audit committees and management improve the overall design of their internal control environment.
The proposed rules offer a caveat that states: "so long as they are not engaged in designing and implementing those internal controls." The commentary provided goes on to suggest that making a "recommendation" is "fundamentally different" then "designing and implementing" specific recommendations. This type of reasoning is not well grounded. It appears to be a series of presumptions that may support a false and unreasonable conclusion. Even if the conclusion is not in fact false, the conclusion itself is dangerous and threatens to undermine an important purpose of the Act. The independence and objectivity of an auditor engaging in such an activity should be acutely questioned. The motives and intent of anyone arguing to the contrary should also be seriously questioned.
Clarification of Services Related to Internal Controls Is Needed
Congress, The Senate, and the Commission's own opinions and statements elsewhere, suggest that an auditor should not be engaged in performing services that go to the very essence of the entities internal control environment. Yet, in this section of the proposed rules the Commission has created an exception that probably has the unintended consequence of undermining and contradicting their own position as stated elsewhere. This raises questions and confusion as to at what point an auditor has transgressed from making a "recommendation" to actually performing management's functions and acting in the capacity as one who was instrumental in the "design and implementation of the controls".
This confusion needs to be carefully examined and the Commission needs to establish more definitive guidance to the public accounting firms. Otherwise the independent auditors will use these erroneous statements, to engage themselves in the very act of helping clients identify and build internal control environments. For an external auditor to assist an audit client in this manner would undoubtedly compromise their independence and objectivity.
The Auditors Role in Recommending versus Designing Internal Controls
It would seem the purpose of diagnosing, assessing and recommending improvements to the internal control environment is in fact a critical element, indeed an ingredient, in the "design" of the control environment. These terms are not sufficiently clear and will create a substantial amount of confusion for board members, investors, and public accountants.
Independent auditors are likely to engage in the very act that the legislators intended to prohibit under the guise that they are merely "recommending" improvements to the internal control environment. Diagnosing, assessing, recommending improvements to the internal control environment is one of the primary purposes of an internal audit function. To suggest in this section that this should be a permissible activity seems to contradict other key aspects of the proposed rules and the intent of Congress and the Senate.
Engagement letters will be carefully crafted to state that it is: "management's responsibility to design and implement" internal controls." The auditors will make orotund proclamations that they are merely providing a valuable service to their clients. Declaring that they are not responsible for the internal controls but "merely providing recommendations" on how management might improve internal controls by performing "special projects" that only they are qualified to perform and are simply extensions of the audit.
The review of management's representations on internal controls, as required by the Act, would effectively amount to a "rubber-stamp" of the "design of internal controls" which they not so independently "recommended." This alone should serve as prima facie evidence that they would be in violation of a principle tenet which states that an auditor's independence would be impaired if they were in a position whereby they audited their own work. This cannot and should not be allowed.
The Accounting Industry's Silence on These Matters and True Reform
The fact that the large accounting firms, with the exception of Deliotte & Touche, have not already come forward and expressed reservations relative to this aspect of the proposed rules should raise other questions as to their motivation and support of the Commissions intentions to create meaningful reform and strengthen auditor independence.
Board members and investors should question the implication of the accounting industry's silence on this matter as well. It should be quite clear that these actions, as currently defined, will compromise the objectivity, independence, and indeed professional integrity of the accounting profession yet once again. The most recent attack to their integrity resulted from the criminal indictment and conviction of Arthur Andersen, for their unscrupulous efforts to obstruct justice. Our capital markets cannot afford to allow this to happen again. If the accounting industry is serious about strengthening auditor independence and restoring professionalism into their trade, then they should embrace our comments and recommendations.
Recommendations to Strengthen Auditor Independence
The Commission should seek to define rules that would clearly prevent such atrocities from occurring despite the accounting profession's own efforts to ignore these obvious issues.
The simplest solution is to strictly ban additional services in this area and require companies to secure the assistance of a competent third party in performing any additional services related to the improvement of a company's internal control environment. Not only would this eliminate concerns regarding the auditor's independence and objectivity but it might also enhance a company's overall internal control environment.
The act clearly places a responsibility on management to maintain an effective internal control environment. If management needs to seek assistance from either third parties and/or improve the allocation of internal resources to sufficiently meet that requirement then management should do that. Audit Committees and Board Members should take their fiduciary responsibility earnestly and demand that this be the case. Management should not place reliance on their independent auditors for this critical function. The final rules must be modified to eliminate this very dangerous precedent from occurring.
While some may argue that this has traditionally been a common practice and should be allowed to continue, those claims should be quickly disregarded. Whether or not auditors were engaged in behavior that had a strong likelihood of impairing their independence or objectivity is irrelevant to attempts to codify such behavior. Furthermore, the Act specifically created new responsibilities for management and their auditors relative to the reporting of internal controls.
The independent auditors are now required under the Act to evaluate and test the internal control environment and management's assertions thereof. This is a new and expanded obligation which the Act requires. In performing these duties the independent auditors could, and should, make constructive comments and recommendations to management. Management, internal audit, and any third party provider could take any such recommendations under advisement as they discharge their duties related to the internal control environment. Having the independent auditors engaged to perform additional services in this area should be specifically prohibited as a matter of policy as it would raise serious questions about who is ultimately responsible for the effective operations of the internal control environment. The rules need to clearly address this issue.
If the Commission adopts the rules as currently proposed additional rules or measures must also be adopted. These measures should be intended to prevent management from abdicate their responsibility for the "design and implementation" of effective internal controls to their independent auditors. In the response to the Commission's questions, we have provided some possible recommendations that the Commissioners may seek to incorporate should they not issue a complete ban on such services as we have carefully advocated.
Pre-approval of Service & Disclosure of Fees Paid To Accountants
Board Members, including the audit committee members, are representatives of the shareholders. These entrusted agents need to understand the concept of independence and be active participants in monitoring the independence of the auditors engaged by them. We believe the framework provided by the commission begins to establish a clear basis by which audit committees, executives, auditors, and investors can now assess whether or not the auditors have maintained their independence or not.
When Arthur Andersen and several of their Partners entered into a consent-decree with the Securities and Exchange Commission, for their misdeeds in the Waste Management case, it was clear that the opportunity to provide additional non-audit services and earn substantial fees for such work was a contributing factor in the firm's failure to provide quality audit services. Other high profile cases, and the increasing number of financial restatements reported in the most recent year continue to suggest that the accounting industry has failed to balance it's obligation as an independent auditor against it's desire to be the leading provider of a variety of professional services to it's audit clients. The Legislators and Commission have taken appropriate measures to address these concerns through more transparent reporting requirements.
The principled-based framework proposed by the Senate and Securities and Exchange Commission for considering when an audit firm should and should not perform additional "non-audit" services was clearly enunciated in the Act's legislative history and serves as an effective guide to audit committees in assessing the scope of service to be provided by their independent auditors.
The framework suggests that in order to not impair their independence an auditor should not (1) audit his or her own work, (2) perform management functions, or (3) act as an advocate for the client.
These principles are well grounded in the professional standards of Certified Public Accountants, and within Generally Accepted Accounting Standards, as well as the Standards of Professional Practice of Internal Auditors. The Commission should be applauded for adopting this principle based approach and the commentary provided in the final rules should continue to encourage audit committee members to judiciously apply these principles as the basis for considering whether or not to employ their independent auditors to perform additional "non-audit" related services.
Recommendations & Guidance for Audit Committees
The Commission should ensure that final rules clearly require audit committees to individually approve specific engagements on a case-by-case basis. As currently worded, the rules could be interpreted to allow accounting firms and the audit committee to agree upon an aggregate basis of work within each of the "disclosure categories." This effectively would enable the independent auditors to secure the audit committees approval for audit fees for a certain amount and then non-audit fees (fees in support of the audit, or tax related fees) in an aggregate amount within each category. In effect, securing a blank check from the audit committee to perform a range of "to be determined" services. A designee of the audit committee and/or possibly management would then approve or be in a position to approve and monitor specific engagements and activities.
This may be nothing more then a creative scheme to circumvent the intended rules. The Commission should seek to provide guidance in the final rules to prevent the accounting firms and management from deploying such strategies to effectively circumvent the spirit of the Act. In response to questions raised by the commission on this topic, we have provided some additional suggestions in Appendix A.
An Investors Perspective
In reviewing the comments received to date, it should be noted that no one has explored the issues and concepts raised here in any meaningful manner or in much detail. Some commentators have requested minor modifications to certain words and or briefly affirmed the Commission's direction. The lack of public comment on these specific issues suggest that the public, and other interested bodies, may not fully understand the potential ramifications and conflicts that are inherent in these highly complex and fairly technical matters. Those who truly understand these issues have tremendous financial gains to achieve by continuing to ignore the blatant conflicts inherent in the activities noted above.
The recent scandals and criminal activity within the accounting industry has undermined the credibility and trust of these "professionals". The public accounting industry needs to step forward and candidly and truthfully take remedial efforts to restore faith in this once highly regarded profession. It is time for the accountants, and large public firms, to step forward and restore faith, trust, and integrity into their once respected profession. The current business practices and rampant abuses recently seen by many of the large firms must be corrected. Endorsing regulation and rules that are likely to further undermine the independence, objectivity, and integrity of the accounting industry should not be tolerated.
Self-Regulation has Failed - Oversight is Required
Since the accounting industry itself has neglected to take corrective action, we urge the Commission to carefully examine the issues raised here. The rules need to be sufficiently clear and appropriately restrictive, In order to protect the interests of individual investors and to restore integrity to the audited financial statements produced by the accountants. The Public Oversight Board and the Panel of Audit Effectiveness explored many of these issues in great length. They conducted substantial research on these topics. We would urge the Commission to consider the concerns brought forth by that panel and by the Former Chief Accountant of The Securities and Exchange Commission, Lynn Turner. The ideas brought forth by Former Chief Accountant Turner and the venerable Commissioner Arthur Levitt should be applauded. These individuals were visionaries with prophetic insights into the need to regulate the accounting profession.
It is apparent in the past four years that these issues have not been adequately addressed. Each of these distinguished individuals and the bodies mentioned previously have already carefully considered many of the concerns expressed in this comment letter. They have publicly advocated greater independence requirements for the Auditors of publicly registered firms. Self-regulation failed. Congress and the Senate have passed landmark legislation.
The Commission now has the opportunity and authorization having been empowered by the enactment of the Sarbanes-Oxley Act to effect significant and real change on these issues. They should absolutely execute their authority to do so in order to restore investor trust and confidence in the audited financial statements of public companies.
Tagore von Hayek, Chairman
The Center for Investor Trust,
Boston, Massachusetts 02163
The following are offered responses, and additional analysis, to the specific questions raised by the Security Commission in the proposed rules on Strengthening Auditor Independence. The Center for Investor Trust respectfully offers these ideas and recommendations in an effort that they might assist the Commission in carrying out effective reform. Effective reform is necessary in order to restore investor confidence in the role of the independent auditors.
Internal Audit Services:
Does it impair an auditor's independence if the auditor does not provide to the client outsourcing services related to the internal audit function of the audit client, but rather performs individual audit projects for the client?
As explained in the comments and analysis above, we believe that an auditor who is engaged in performing additional "non-audit" services for their audit clients does in fact impair their independence in both fact and appearance.
Understanding that many audit firms have developed expertise and skills that may be valuable to their audit clients the act of providing such additional services should be restricted to their non-audit clients so as not to impugn the objectivity or independence of the financial audit. The shareholders and investors deserve nothing less then objective and independent audited financial statements.
Any suggestion to the contrary by the public accounting community is likely to create further confusion and abuse. The profession is clearly capable of engaging in corrupt acts as was evident by the professionals of Arthur Andersen when they deemed it necessary to shred audit records to impede a federal investigation.
It is apparent that when audit firms provide additional services they are likely to later be in a position to audit their own work in violation of a basic tenet of independence.
a) The Commission should clearly state in it's commentary that the audit committee must examine on a case-by-case basis whether or not a particular "non-audit" engagement to be performed by the independent auditors is appropriate and whether the specific engagement could violate any one of the three tenets proposed in the principle-based framework.
b) It is recommended that the audit committee, or the designated member of the audit committee who is a member of the board of directors, would be required, by rule, to review the actual engagement letter for any additional procedures, and/or "non-audit" services to be provided by the independent auditor and would be required, by rule, to sign any such engagement letter.
c) It is suggested that the Commission require, as a matter of rule, the audit committee or their designated member, to review the written deliverables of the independent auditors for any non-audit related services that are provided. The commentary should suggest that the audit committee independently evaluate and consider whether or not management in fact performed the functions and responsibilities required of them in relationship to any such engagement . The audit committee should consider whether the work and activity actually performed by the external auditors could impair the external auditors independence upon completion of each engagement.
This would help ensure that the independent auditors did not in fact engage in performing a management function during the course of their engagement. The effect of this post-approval review would be very useful in helping ascertain whether or not the engagement was in fact within the bounds of the approved scope of work. Often times, scope changes as a project is in process and the unintended consequences of such actions could be very troublesome to management, the shareholders, and members of the Board of Directors.
Is additional guidance necessary to distinguish the services that would be prohibited under this proposed rule from those services that would be permitted as operational audits?
a) Absolutely. The interest of investors is best served by having a more restrictive ban on "non-audit" services and other internal audit services being performed by a company's independent auditor.
b) The final rules should specifically ban "operational audits" and "compliance audits." Providing these services to audit clients should be specifically banned because the potential for abuse is far too great. Investors need to have confidence that their independent auditors are truly independent and not motivated to appease management in order to win lucrative special projects.
c) In the absence of a complete ban on such non-audit service, the final rules should clearly state that the Audit Committee should pay particular attention and increase their oversight role when engaging their independent auditors to perform additional services not directly related to the financial audit. The commentary might mention that audit committees should seek to instruct management to use other professional service firms wherever possible when outsourcing operational and compliance related audits.
Requiring management to use other service providers not only eliminates the potential independence concerns, but it also would be in the best interest of the shareholders. Companies may in fact be better served by having a separate third party compete in a competitive marketplace for this work. This would encourage competition and free trade and would likely benefit companies by having highly talented resources compete for their "non-audit" business.
Financial Information Systems Design and Implementation
Response to Questions
Is an auditor's independence impaired when the auditor helps select or test computer software and hardware systems that generate financial data used in or underlying the financial statements? Why or Why not?
a) When an auditor engages in assisting a client in selecting or testing a software or hardware program for the client the auditor's independence is in fact impaired. The auditor is performing "non-audit" services that have absolutely no bearing on the function of performing an audit for which they were presumably engaged. Management would likely be the one engaging the auditors to perform such services and the auditor would be working at the direction of management in performing these duties. Therefore it seems that the auditor's would likely become less independent in appearance and their objectivity could become the subject of scrutiny.
b) If the auditor engaged in testing the system, they would also not only be acting in the capacity of the management of their client but they would be likely placed in the position that they would be auditing their own work at some later time (and/or presumable relying on the accuracy and integrity of the system which they were involved in testing). This clearly would be objectionable and should be prohibited as a matter of rule.
c) The rules and commentary should pay particular attention to when audit committees authorize their independent auditors to engage in these types of activities regardless of the software application or business process involved. For example, having an auditor assist in selecting and testing a tax software application, an employee benefit (including payroll), or a budgeting and planning software application would undoubtedly become problematic for the independent auditor as they eventually would need to audit (or at least consider the need to audit) these applications and processes. Having performed substantive work in these areas their judgment and objectivity could easily be compromised.
d) The final rules should explicitly prohibit these types of services. At a minimum they should strongly dissuade audit committees from approving these types of projects. If the Commission decides to take the latter approach, placing a requirement on the audit committee to not only pre-approve such services but to review the completed services would provide a sufficient deterrent to the board members from engaging their independent auditors in these activities unless absolutely necessary.
Whether a system is used to generate information that is "significant" to the audit client's financial statements may depend on the size of the engagement. Does the magnitude as a percentage of either audit fees or total fees of the fees for such services make a difference on whether performance of the service impairs independence?
a) This question is not entirely clear, but it seems to suggest that if a there should be some de minimis exception if an auditor performs services related to a system which is subsequently used to generate information deemed "significant" to the audit client's financial statement. Establishing some de minimis threshold may be desirable. Perhaps a reasonable threshold would be to not allow total fees to exceed $25,000 or 10% of total audit fees, whichever is less. With an average bill rate of $150/hour for professional services from the audit firm this would allow for approximately 4 weeks of services to be provided. Establishing a threshold would prevent the accounting firms from making their own interpretation or definition of what magnitude of work they believe would impair their independence.
b) The Commission should expand their definition of what constitutes a "system that generates information which is ultimately likely to be `significant' to the financial audit statements". Since practically all business applications and processes ultimately will be represented in the financial statements, using a term such as "significant" may cause some confusion. When Arthur Andersen was auditing WorldCom they probably did not consider the asset management systems at remote facilities to be "significant" to the financial statements, but as their internal auditors wisely determined, these systems were used to conceal very material transactions.
c) The guidance should seek to define systems with more inclusive language. This could be fairly easily accomplished by including wording such as "Whether a System, [such as tax, human resource, asset management, inventory, and pricing & billing systems for example], is used..." Providing these examples in the definition would enhance the final rules and related commentary to provide better guidance.
Additional Analysis on Auditor Independence
As part of a financial audit the audit engagement team will be involved in "diagnosing and assessing" internal controls. This is part of the audit process and to the extent that the auditor identifies opportunities for improvement, incidental to performing their duties as a financial auditor, they should be free to make specific recommendations to management related to potential improvements management could make to their internal control environment. As we have asserted previously, recommendations that an external auditor develops in the course of the financial audit should not be construed as providing advice that is ultimately critical to the overall design and operations of internal controls.
On the other hand, the notion that the external auditor could be retained to specifically provide their audit client with advice and guidance ("recommendations") under the presumption that they were not involved in the design and/or implementation of the internal controls is of grave concern. Presumably, this would likely be a "special project". For example, assisting a client in developing a strategy to comply with Section 404 of the Act. Since the Act also now requires auditors to issue an attestation about management's assertions regarding internal controls it seems incomprehensible that the auditor would in fact be independent and objective in performing these responsibilities as required in the Act if they contributed to the original design, implementation and documentation of the internal control system. This is exactly what they would do, if the Audit Committee engaged them to assist the company in assessing, diagnosing, and making recommendations for the purpose of "improving the internal control environment." This is not to say that such a project, on behalf of an issuers management and board would not be a worthy cause - it is more a matter of who should be allowed to perform such services.
The proposed rules are using industry jargon, which could be construed in a number of different ways. This is likely to be very misleading to audit committees, management and more importantly to investors. At a minimum the Commission should clearly define the terms: "Recommend", "Design" and "Implement" and provide some illustrative examples of what is and is not acceptable.
Having the independent auditor actively help their client assess the effectiveness of internal controls and make recommendations on improving those controls as a separate engagement from the financial audit is a dangerous proposition. It will absolutely impair an auditor's independence and objectivity and should be unequivocally prohibited.
Recommending controls is an essential ingredient to the design of internal controls. Engaging in the practice of "recommending" controls amounts to nothing less then assisting in the design and implementation of internal controls. Arguments and suggestions to the contrary are misguided. If an auditor assists a client in evaluating and assessing the controls of a new application or business process and provides specific recommendations to enhance the control environment, as is suggested in the proposed rules, this will have the unintended consequence of grossly impairing the auditors independence. It is a very fine and gray line between when the auditor stops making recommendations and actually begins contributing to and participating in the ultimate design of the internal control environment. Very few professional accountants would be able to provide you with a definitive point at which they "crossed the line."
If the auditor makes 10-12 recommendations and says "this is what we recommend you do to achieve an effective internal control environment." ... Then returns several months later to test the controls, what happens? The controller brings out the report and says: " we do these 10-12 things." The auditor looks and says: "great let me test one or two." Upon successfully testing the he concludes the internal control environment is being effectively controlled. This is very risky and should be prevented from occurring. The proposed rules are not adequate to prevent these types of abuses from occurring. In fact they almost seem to encourage this to occur.
Practically everything that was banned under internal audit services can now be performed under the guise that the auditor is helping the client assess and improve their internal controls. This guidance lack clarity, is confusing, and undermines other key elements of what the Legislators and Commission intend. The responses provided below aim to provide some practical alternatives that could be effectively adopted as part of the final rules. We urge the Commission to consider these recommendations and employ them as appropriate in the final rules.
Response to Questions
Do services related to designing or implementing internal accounting controls and risk management controls result in the auditor auditing his or her own work? Would such services impair an auditor's independence when the auditor is required to issue an opinion on the effectiveness of the control systems that he or she designed or implemented?
a) As stated in the analysis and body of this comment letter when the independent auditor engages in the act of performing additional services for an audit client aimed at assisting in the analysis, diagnosis, and assessment of internal accounting controls they are taking on a function and responsibility that should generally be left in the hands of management or some other suitable third-party. Failure to do so will inevitably lead to an impairment of the financial auditors independence and will likely compromise their objectivity and judgment. Not withstanding the arguments put forth previously, there is in practice very limited differences between making recommendations and designing the internal controls.
Recommendations, unless very broad in nature or ancillary to the normal activities performed during the course of a financial statement audit, would ultimately place the auditor in the position of auditing their own work. This would be especially true in the case where the independent auditor was engaged to perform a special project with the express purpose of assisting a client diagnosis, assess, document and/or otherwise assist in the evaluation of the internal control environment. This would be especially true if the end product were to provide management with specific recommendations or documentation that management would then use to "design and implement" the internal control environment. Essentially, the auditor is taking an active role in specifying the very ingredients that should be used in the design of the final product. To say that this is desirable and would not impair independence is factually inaccurate.
It would be equivalent to having a judge at a cake-baking contest recommend and suggest to one of the contestants specific ingredients that would likely enhance the bakery chefs end product. The judge would clearly be biased in his assessment of the end product. His independence would be impaired in both fact and appearance. His objectivity and judgment would be compromised. If the chef were to follow the judges recommendations (which he potentially "paid for"), it is highly unlikely that the judge would later cast dispersions or question the quality of the final cake. In the situation of a financial audit and an opinion regarding the internal controls of an entity the steaks (misspelling and pun intended!) are much higher.
A financial audit team that encounters potential internal control related issues is more likely to raise these issues to the attention of management and the Audit Committee in cases where they were not also involved in providing specific recommendations that were, or should have been, adopted as part of the system of internal controls. An Audit Partner, or Senior Manager, responsible for overseeing the internal controls testing work required by the Act would be placed in a more uncomfortable position to question the end-product, when his firm (and potentially his own engagement team), was involved in providing the client with `analysis, diagnosis, and recommendations' to improve the internal control environment. If another firm, or internal resources, had performed the work, the auditor's independence should not be a a matter of concern. In the end, the company and the shareholders will have achieved a better end result because two sets of eyes have thoroughly examined and considered the effectiveness of the internal control environment. More restrictive policy is in the interest of shareholders and would be a matter of good public policy.
Based on the analysis put forth in this comment letter, we offer the following suggestions to The Commission in formulating the final rules.
a. Issue a definitive ban on any and all such services. This is the most effective solution and avoids any potential conflicts or misapplications of the rules from applying. The Commission clearly has the authority to do so, and should do so.
b. In the absence of such a definitive position on this issue, the Commission should at least adopt language in their commentary under Management Functions that would severely curtail audit committees from engaging their independent auditors from soliciting and executing this type of work. The language should also dissuade the independent auditors from engaging in this type of activity, as it would likely compromise their independence. The current language is sufficiently broad and unclear that modifications are obviously necessary.
c. Additionally, these rules could, and should, require auditors to employ different staff (engagement personnel) as a matter of rule on these types of engagements, if performed. Having the same personnel advise the client on how to develop an effective internal control environment and then later assist in performing functions related to financial statement audit, or testing of internal controls, should be proscribed as a matter of law. If the service is not outright prohibited as we suggest it should be, then at the very least the Commission should implement clear rules and language in this area. This language should clearly state that the independent audit professionals performing the financial statement audit may not have served in any capacity on an any engagement for the same client where they assisted in assessing, diagnosing and making recommendations to management on the design of internal control procedures. This should also apply to the professionals engaged in testing management's assertions as to the internal controls as required by the act.
d. It appears that it was the intent of the Act to require management to take full-charge and responsibility for internal controls. That being the case, language that would place a specific responsibility on management should be included in the commentary to the rules.
e. Ultimately, the Board of Directors should simply avoid such situations by engaging other parties to perform these critical tasks and/or assigning additional internal resources to the function of the internal audit department. We would encourage the commission to strongly encourage, in the final rules and accompanying commentary, boards of directors to assign this responsibility directly to management and to strongly encourage management to secure the assistance of another suitable third party (preferably not the external auditors) to perform such work if necessary.
We request comment on whether there are circumstances under which an accounting firm can perform or assume management functions or responsibilities for an audit client without impairing independence?
a) There are very limited circumstances where this would be the case and in fact any time an independent audit firm engages in performing additional non-audit related services for their public audit client, their independence, objectivity, and integrity will be at risk.
PRE-APPROVAL OF SERVICES & EXPANDED DISCLOSURE OF FEES
Analysis of Audit Committee Administration of the Engagement
Audit Committees should expressly authorize any particular engagement which is beyond the scope of the annual financial statement audit. The proposed rule which states: "before the accountant is engaged by the audit client to provide services other than audit, review or attest services, the audit client's audit committee expressly approve the particular engagement" or that engagements could be "pre-approved" pursuant to a detailed pre-approval policy. When considering whether or not to engage their independent auditor to perform additional non-audit related services, audit committees should examine each engagement on a case-by-case basis.
Response to Questions
Is allowing the audit committee to engage an auditor to perform non-audit services by policies and procedures, rather than a separate vote for each service, appropriate? If so, how do we ensure that audit committees have rigorous, detailed procedures and do not, in essence, delegate that authority to management?
a) Allowing Audit Committees to abdicate their authority and responsibility to a broadly worded policy would not be prudent. It was clearly the intent of the lawmakers to create more accountability for Board Members and the Audit Committees of public companies. They should be required to consider the merits of any particular `non-audit' engagement performed by their independent auditors on a case-by-case basis.
b) The statue intended to provide more corporate governance and oversight. It was also intended to reduce the possibility of public accounting firms from engaging in the practices that became widespread in the 1990's whereby the financial audit became a loss leader for other more profitable services.
Are there specific matters that should be communicated to or considered by the audit committee prior to its engaging the auditor?
a) If Management is allowed to engage their auditors to perform services that help assess, diagnosis, or otherwise evaluate internal controls and subsequently receive specific "recommendations" from their independent auditors on how to design and implement systems of internal controls, then the Audit Committee should be required as a matter of rule to receive from management additional supporting documentation affirming that Management considered these recommendation in the design and implementation of their internal control policies and procedures. This document and managements efforts to consider, validate, and incorporate the "Recommendations" should clearly indicate that management has taken additional measures to in fact act upon the recommendations put forth by their independent auditors.
b) The Audit Committee in turn should be required to assess whether or not Management has exercised appropriate diligence and due process in exercising their responsibilities. To not consider these factors would be to ignore the potential independence issues associated with these types of engagements and would be against the public interest and against the interest of individual investors.
Should the Commission provide additional specific guidance to assist audit committees when deliberating auditor independence issues? What topics would be helpful?
a) Certainly. The complexity of many of the issues raised here suggest that in order to best protect the interest of the shareholders and individual investors, any additional guidance that can be provided to assist the audit committee in evaluating whether or not the auditor is in fact independent would be extremely beneficial.
b) There are several suggestions mentioned in this comment letter, as well as in the comment letter provided by others. If the audit committee adopts a policy that they will not engage their independent auditor for any non-audit services this point and guidance would become mute. In the interest of protecting the public trust this approach would be sensible and worthwhile. In the event that the audit committee determines that they will in fact engage their independent auditors to perform additional non-audit related services, then they should disclose to investors specific reasons why these decisions and activities were best performed by their independent auditors. This required disclosure approach would help ensure that the investors trust and confidence can be achieved. Board Members, and the audit committees, should be required to take any such decisions to employ their auditors for additional services only after carefully deliberation. Increased transparency and board member deliberation would be good public policy.
c) Requiring audit committees to secure a competitive bid on any such services to be outsourced, or otherwise awarded, to their external auditors should be required. Much like non-profits and government agencies that are required seek competitive bids, such a requirement could prove useful as a corporate governance requirement. Such a rule would not only ensure that the work was truly more efficiently performed (one of the common arguments put forth by the accounting community) by the independent auditors, but it would also act to encourage management to consider hiring other, possibly more qualified and more objective professionals to assist on important projects. This type of a provision in the final rules would benefit shareholders and should be incorporated as a either a requirement or a general guideline, or recommendation.
d) Audit committees should not be engaged in the practice of authorizing blanket "fee-ranges" within a category for services to be performed without a clear understanding of the specific nature and scope of such services. This should be prohibited by rule.
e) The audit committee should consider whether or not it would be appropriate to institute policies whereby all deliverables from non-audit engagements are made available directly to the Audit Committee members for review and consideration in their on-going analysis of whether or not the audit's are sufficiently independent. Alternatively, the audit committees should consider requiring an opinion from either the General Counsel and/or General Auditor, of the company, that they have reviewed in detail the non-audit work performed by the independent auditors and have considered whether or not such work could potentially impair the external auditor's independence or objectivity. Such guidance could be incorporated into the final rules as either a requirement or as general guidance in the commentary.
f) Since the independent auditors are engaged to represent the shareholders of a corporation and not management, it might be worthwhile to impose a rule, which would require independent auditors to file their engagement letters for non-audit services with the commission for public disclosure. In this way, the shareholders would be able to be fully informed as to the nature and extent of non-audit related services being provided by the independent auditors whom they elected.
g) Finally, requiring a post-engagement evaluation of the scope of services and resulting deliverables with the purpose of determining whether or not the activities performed could in anyway impair the auditor's independence would be a worth-while recommendation to include in any such guidance. The Commission staff and professionals could easily offer supplemental guidance that was independent of the rules but equally informative to Audit Committees and the public accounting firms that the Act intends to regulate.