Home > News & Events > Press Releases
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM
FEDERAL DEPOSIT INSURANCE CORPORATION
NATIONAL CREDIT UNION ADMINISTRATION
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters
AGENCIES: Office of Thrift Supervision (OTS), Treasury; Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); National Credit Union Administration (NCUA); Office of the Comptroller of the Currency (OCC), Treasury.
ACTION: Issuance of Interagency Advisory.
SUMMARY: The OTS, Board, FDIC, NCUA, and OCC (collectively, the "Agencies"), have finalized the Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters ("Advisory"). The Advisory informs financial institutions' boards of directors, audit committees, and management that they should not enter into agreements that incorporate unsafe and unsound external auditor limitation of liability provisions with respect to engagements for financial statement audits, audits of internal control over financial reporting, and attestations on management's assessment of internal control over financial reporting.
EFFECTIVE DATE: The Advisory is effective for engagement letters executed on or after [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER].
FOR FURTHER INFORMATION CONTACT:
Reliable financial and regulatory reporting supports the Agencies' risk-focused supervision of financial institutions by contributing to effective pre-examination planning and off-site monitoring and appropriate assessments of an institution's internal control over financial reporting, capital adequacy, financial condition, and performance. Audits play a valuable role in ensuring the reliability of institutions' financial information.
The Agencies believe that when financial institutions agree to limit their external auditors' liability, either in provisions in engagement letters or in provisions that accompany alternative dispute resolution (ADR) agreements, such provisions may weaken the external auditors' objectivity, impartiality, and performance. The inclusion of such provisions in financial institutions' external audit engagement letters may reduce the reliability of audits and therefore raises safety and soundness concerns.
On May 10, 2005, the Federal Financial Institutions Examinations Council (FFIEC) on behalf of the Agencies published in the Federal Register a proposed Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions and Certain Alternative Dispute Resolution Provisions in External Audit Engagement Letters (70 FR 24576) and sought comments to fully understand the effect of the proposed Advisory on financial institutions.
II. Scope of Advisory
III. Summary of Comments
Most financial institutions and industry trade groups supported the proposed Advisory and commended the Agencies' efforts. A number of the commenters explained that limitation of liability provisions in audit engagement letters originate with external auditing firms rather than financial institutions.
Most of the letters from external auditors opposed the proposal. External auditors explained that limitation of liability provisions are risk management tools commonly used in audit engagement pricing as well as in other business transactions. They asserted that such provisions allocate risk and facilitate a timely and cost effective means to resolve disputes while minimizing litigation expenses. Further, auditors stated that they should not be liable for losses resulting from knowing misrepresentations by the client's management.
A number of commenters asked for clarification on the scope of the Advisory and on the application of the Advisory to ADR agreements (e.g., arbitration) and waivers of jury trials. The Agencies have addressed these comments in the Advisory.
A number of commenters stated that the U.S. Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and the American Institute of Certified Public Accountants (AICPA) have established auditor independence rules and requirements; therefore, they asserted, the Advisory is not needed. Other commenters expressed a need for the SEC, PCAOB, and AICPA to clarify their guidance. On September 15, 2005, the AICPA published for comment its proposed interpretation of its auditor independence standards. In that proposal, the AICPA specifically identified limitation of liability provisions that impair auditor independence under its standards. Most of the provisions cited as unsafe and unsound in the Agencies' Advisory were also deemed to impair independence in the AICPA's proposed interpretation.
B. Risk Management and Business Practices
Auditors further stated that the Advisory largely ignores the interest that financial institutions have in obtaining professional and independent audit services within a framework of allocated risk. Further, auditors stated that the Advisory attempts to use safety and soundness as a means for setting auditor independence standards and limits the use of accepted business practices to manage disputes. In addition, the auditors and some financial institutions expressed concerns that the Advisory may result in an increase in costs and be a disincentive for financial institutions to continue to engage an auditor when not required to do so.
The Agencies continue to believe that certain limitation of liability provisions reduce the auditor's accountability and thus may weaken the auditor's objectivity, impartiality, and performance. In the Agencies' judgment, concerns about potential increased costs or restrictions on the ability of the parties to an audit engagement letter to allocate risk do not outweigh the need to protect financial institutions from the safety and soundness concerns posed by such limitation of liability provisions. Furthermore, any disincentive for financial institutions to obtain Audits when not required should be limited because Audits represent best practices and are strongly encouraged by the Agencies.
In addition, these limitations on external auditor liability may not be consistent with the auditor independence standards of the SEC, PCAOB, and AICPA. All financial institution Audits must comply with the independence standards set by one or more of these standard-setters.
C. Management's Knowing Misrepresentations
Those commenters further stated that indemnification for management's knowing misrepresentations communicates a commitment that financial institution management and its governing board understand their responsibilities to perform honestly and legally. These commenters rejected the assertion that indemnifying auditors for management's knowing misrepresentations might cause an auditor to lose independence or to perform a less responsible audit. They also stated that protections that the client may provide against the client's own knowing misrepresentations do not preclude third parties from suing the auditor.
Nevertheless, a clause that would release, indemnify, or hold an external auditor harmless from any liability resulting from knowing misrepresentations by management is inappropriate under the SEC's existing guidance on auditor independence (see Appendix B of the Advisory). The inclusion in external audit engagement letters of limitation of liability provisions that are prohibited by the auditor independence rules and interpretations of the SEC, PCAOB, or AICPA is considered an unsafe and unsound practice for financial institutions. Provisions not clearly addressed by authoritative guidance may also raise safety and soundness concerns when there is a potential impairment of the external auditors' independence, objectivity, impartiality, or performance.
The AICPA's Professional Standards, AU Section 110: Responsibilities and Functions of the Independent Auditor state: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." The Agencies believe that including an indemnification or limitation of liability provision for the client's knowing misrepresentations, willful misconduct, or fraudulent behavior in an Audit engagement letter may not be viewed as consistent with the auditor's duty and obligation to comply with auditing standards.
The Agencies acknowledge that management bears the responsibility for its conduct and representations. Nevertheless, the auditor has a responsibility to obtain reasonable assurance that the financial statements are free from material misstatements, including misstatements caused by management fraud. A limitation of liability provision in external Audit engagement letters for management's knowing misrepresentations, willful misconduct, or fraudulent behavior could act to reduce the auditor's professional skepticism. Limited liability could lead to inadvertent consequences such as an auditor not fully considering the possibility that management fraud exists. This might result in less robust challenges to and over-reliance on management's representations rather than performance of appropriate audit procedures to corroborate them.
The Agencies believe that the auditor's potential liability related to material misstatements due to management's misrepresentations should be decided by a trier of fact in a legal or other proceeding and should not be predetermined in the engagement letter. The trier of fact would take into account whether the Audit was properly conducted in accordance with applicable auditing standards.
D. Auditor Independence and Performance Standards
In contrast, other commenters contended that all of the provisions in the proposal impair an auditor's independence. This view was most clearly expressed in the comment letter from an independent proxy and financial research firm, which stated, "We believe audit engagement letters containing liability limitations impair the auditor's independence and reduce audit quality to an unacceptable level." They further stated, "We believe it is inappropriate for an audit contract between a company and its auditor to limit the auditor's liability including (1) any limitations on rights to trial, (2) limits on compensatory or punitive damages, or (3) limits on discovery, including in arbitration."
A number of commenters discussed the auditor's requirement to comply with auditing standards and stated that the failure to comply with such standards would result in the violation of the requirements of the SEC, PCAOB, AICPA, and/or state licensing authorities. Some commenters stated that adherence to professional auditing standards is further assured by periodic peer reviews and by PCAOB inspections. Commenters noted that auditors are subject to possible disciplinary action by state boards of accountancy, the SEC, the PCAOB, and the AICPA. These commenters concluded that the auditor's performance is controlled by professional standards and is not influenced by provisions in audit engagement letters that limit the auditor's liability. Consequently, they believed that the Advisory is unnecessary.
The Agencies' observations lead them to conclude otherwise. Their concern is that limitation of liability provisions may adversely impact the reliability of Audits whether related to disincentives for auditor performance or impairment of auditor independence in fact or appearance. The Agencies have not attempted to categorize limitation of liability provisions that adversely affect safety and soundness as either matters of performance or independence.
The Agencies acknowledge that the SEC, PCAOB, and AICPA set independence and performance standards for auditors. The Advisory does not purport to affect those standards. Regardless of whether limitation of liability provisions are permissible under auditor independence standards, the Agencies have a separate obligation to evaluate their impact on the safety and soundness of financial institutions.
Some commenters questioned whether the Agencies have adequate evidence that limitation of liability provisions adversely affect auditor independence, objectivity, and performance. The Agencies acknowledge that it is inherently difficult to prove links from circumstances to states of mind and from there to performance. Nevertheless, the Agencies cannot wait for proof of harm before establishing guidance to ensure the safety and soundness of financial institutions. The Agencies must make judgments about circumstances that may render Audits less reliable. The Agencies' concern with the potential impact of such provisions is not only that an auditor might intentionally act less than appropriately, but might unconsciously do so.
A reasonable person may believe that limitation of liability provisions create circumstances that may adversely affect Audit reliability. For example, a reasonable person may conclude that if the auditor faces less potential liability for the Audit, the auditor may be less thorough. Further, that knowledge may erode the auditor's independence of mind.
The Agencies observe that the SEC has addressed limitations of liability in its independence rulings for more than 50 years. The AICPA also addresses limitations of liability in its independence standards and related interpretations. Additionally, many commenters stated that limitations of liability impair an auditor's independence.
Auditors, in their comments, expressed inconsistent interpretations of the meaning and scope of the SEC, PCAOB, and AICPA auditing standards relating to limitations of liability. The Agencies have concluded that supervisory guidance in addition to the existing auditing standards is necessary to carry out their safety and soundness mandate. Because the Agencies rely on Audits to help ensure the safety and soundness of financial institutions, they are necessarily concerned with provisions that could affect the auditor's judgment and professional skepticism. Thus, the Agencies have concluded that since the limitation of liability provisions may adversely affect Audit reliability, such provisions are considered unsafe and unsound.
E. Waivers of Punitive Damages
Due in part to the extensive comments regarding client agreements not to seek punitive damages from their auditors, the Agencies have decided to take the issue under advisement. Accordingly, at this time, provisions that waive the right of financial institutions to seek punitive damages from their external auditor are not treated as unsafe and unsound under the Advisory. Nevertheless, the Agencies have concluded that agreements by financial institutions to indemnify their auditors for third party punitive damage awards are deemed unsafe and unsound.
To enhance transparency and market discipline, public financial institutions that agree to waive claims for punitive damages against their external auditors may want to disclose annually the nature of these arrangements in their proxy statements or other public reports.
F. Alternative Dispute Resolution Agreements and Waiver of Jury Trials
A number of commenters stated that the Advisory addresses mandatory ADR mechanisms and the waiver of jury trials in a way that will discourage financial institutions from agreeing in advance with their auditors to use these widely accepted, efficient, and cost effective means of resolving disputes. A few commenters noted that ADR and waiver of jury trial provisions do not take away rights; they merely reflect the parties' choice of a method for resolving a dispute. Further, commenters stated that the Agencies have previously issued pronouncements that recognize and even encourage the use of ADR, for example, the FDIC's Statement of Policy on Use of Binding Arbitration (66 FR 18632, (April 10, 2001)). The Interagency Policy Statement on the Internal Audit Function and its Outsourcing (issued by the OTS, Board, FDIC, and OCC in March 2003) provides that all written contracts between vendors and financial institutions shall prescribe a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the costs of consequential damages arising from errors, omissions, and negligence. Commenters also stated that ADR is commercially reasonable because it creates certainty and reduces litigation-related costs, and therefore, should be encouraged.
The Agencies observed that limitation of liability provisions frequently accompanied ADR or waiver of jury trial agreements contained in or referenced by Audit engagement letters. The Agencies do not oppose ADR or waiver of jury trial agreements. However, the Agencies do object to the practice of including unsafe and unsound limitation of liability provisions in these agreements.
In response to the comments received, the Agencies clarified that ADR or waiver of jury trial provisions in Audit engagement letters do not present safety and soundness concerns, provided the agreements do not incorporate limitation of liability provisions. Institutions should carefully review ADR and jury trial provisions in engagement letters, as well as any agreements regarding rules of procedure. ADR agreements should not include any unsafe and unsound limitation of liability provisions. The Advisory does not change or affect previously issued policies referencing ADR and does not encourage or discourage the use of ADR in Audit engagement letters.
G. Legal Considerations
Another commenter stated that certain jurisdictions prohibit claims against auditors where management fraud is imputable to the client. The Advisory is not intended to override existing state or federal laws that govern the types of damages that may be awarded by the courts. It advises financial institutions' boards of directors, audit committees, and management that they should not agree to any Audit engagement letters that may present safety and soundness concerns, including provisions that may violate the auditor independence standards of the SEC, PCAOB, or AICPA, as applicable.
One commenter stated that the Agencies have not complied with the legal constraints on federal agency rulemaking (e.g., the Administrative Procedures Act (APA) and Executive Order 12866) with the Advisory. The APA prohibits agency action that is, among other things, arbitrary and capricious. Executive Order 12866 provides that when a federal agency engages in rulemaking, it must first determine whether a rule is necessary.
The Agencies have authority to issue safety and soundness guidance without engaging in a formal rulemaking procedure. Under 12 U.S.C. 1831p-1(d)(1), the Agencies issue standards for safety and soundness by regulation or by guideline. The Advisory is issued under that authority and the supervisory authority vested in each of the Agencies. The Agencies have determined that there is a significant need for guidance based on their review of actual auditor engagement letters, the comments from financial institutions that strongly expressed a need for guidance, and the likely benefits as compared to the possible costs.
H. Other Considerations
Other commenters stated that auditors should only be liable for audits they perform. The commenters believed that a financial institution's engagement letter covers only the period under audit and that auditors should not be held responsible for losses arising in subsequent periods in which the auditor was not engaged. Further, losses that arise in subsequent periods that may be related to matters that existed during periods previously audited by another audit firm should not result in a liability to the successor audit firm.
The Agencies concur with the concept that auditors are not responsible for the work of others. The Agencies object to provisions that are worded in a way that may not only preclude collection of consequential damages for harm in later years, but that may also preclude any recovery at all. For example, the Agencies observed provisions where no claim of liability could be brought against an auditor until the audit report is actually delivered, and then these provisions limited any liability thereafter to claims raised during the period covered by the audit. In other words, the auditor's liability may be limited to claims raised during the period before there could be any liability. Read more broadly, the auditor would be liable for losses that arise in subsequent years only if the auditor continued to audit subsequent periods.
Several commenters asked the Agencies to provide examples of losses sustained by financial institutions as a result of limitation of liability provisions discussed in the Advisory. The Agencies' charge is to identify and mitigate the risk of loss to financial institutions, not merely to react after losses occur. Therefore, the appropriate standard to be applied in the Advisory is the risk of loss created by limitation of liability provisions, and not losses sustained by reason of such provisions.
I. Questions, Comments, and Responses
Comments and Responses: The vast majority of commenters stated that the Advisory should apply uniformly to audits of financial statements for all financial institutions. A few commenters stated that voluntary audits should not be subject to the provisions in the Advisory. Several commenters stated that the Advisory should apply to audits of all entities, not just financial institutions.
Since the Agencies are concerned with the safety and soundness of all financial institutions, the Advisory applies to all Audits of financial institutions including voluntary Audits. Regarding the comments relative to the broader application of the Advisory, the Agencies do not have the authority to apply the Advisory to entities other than financial institutions.
Comments and Responses: Several commenters stated that the Advisory will harm financial institutions' ability to negotiate the terms of audit engagements and therefore either result in higher audit costs or a lessened ability to negotiate on usual business terms. Other commenters stated that negotiations would be easier because auditors would not be able to force undesirable terms into engagement letters.
The Agencies believe that the Advisory does not unduly affect the negotiating positions of the parties or pose undue burdens on auditors because these clauses did not exist in the majority of the engagement letters reviewed by the Agencies.
Comments and Responses: The majority of commenters stated that audit fees would increase; however, the range of increase was judged to be anywhere from "insignificant" to "dramatic." A few commenters stated that fees would remain the same because many auditors have performed audits without limitation of liability provisions for a very long period of time. Most commenters stated that an increase in audit fees would not discourage financial institutions from engaging auditors because Audits represent best business practices and because the benefits of Audits would continue to outweigh the costs.
A few commenters said that the increase in fees would reduce the number of financial institutions that voluntarily obtain audits. More than half of the commenters expressed concern about the number of auditors willing to perform audits of financial institutions because of the inability to include limitation of liability provisions in the engagement letters.
Several commenters noted that the use of such clauses furthers the public interest in reducing dispute resolution costs and ensures the availability of reasonably affordable audit services and the equitable distribution of financial risk. Commenters also noted that audit fees are determined by a variety of factors and engagement risk is a significant component.
In the Agencies' judgment, any concerns about potential increased costs or restrictions on the ability of the parties to an Audit engagement letter to allocate risk do not outweigh the need to protect financial institutions from safety and soundness concerns posed by limitation of liability provisions. Furthermore, any disincentive for financial institutions to obtain Audits when not required should be limited because Audits represent best practices and are strongly encouraged by the Agencies.
The Agencies do not believe that the Advisory would significantly affect the number of audit firms willing to provide external Audit services to financial institutions because limitation of liability provisions were not present in the majority of the engagement letters reviewed by the Agencies.
Comments and Responses: The vast majority of commenters found the three general categories of limitation of liability provisions complete and accurate and did not express a need for the Advisory or terminology to be clarified. It was apparent from the comments received that the discussion of ADR was unclear; the Agencies have clarified their position in the Advisory.
Comments and Responses: The vast majority of commenters found the examples of limitation of liability provisions to clearly and sufficiently illustrate the types of provisions that are inappropriate. A number of commenters stated that permitting an auditor and a client to agree to a release from or indemnification for claims resulting from knowing misrepresentations by management is fundamentally fair to the client and is a significant deterrent to management fraud. As discussed in section C. Management's Knowing Misrepresentations, the Agencies are not persuaded by the commenters' arguments.
Comments and Responses: Very few commenters directly responded to this question. Those commenters indicated there is not a valid business purpose for financial institutions to agree to any limitation of liability provision in audit engagements.
Comments and Responses: The vast majority of commenters stated that accepted audit engagement letters containing limitation of liability provisions should not require nullification for a number of reasons including the fact that a contract negotiated in good faith should not be subject to renegotiation.
The Agencies agreed with these comments. The Advisory applies to Audit engagement letters executed on or after [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER]. Financial institutions are not required to nullify Audit engagement letters executed prior to [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER]. If a financial institution has executed a multi-year Audit engagement letter prior to [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER] (e.g., covering years ending in 2007 or later), the Agencies encourage financial institutions to seek to amend the engagement letter to be consistent with the Advisory for any Audit periods ending in 2007 or later.
IV. Paperwork Reduction Act
The text of the Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters follows:
INTERAGENCY ADVISORY ON THE UNSAFE AND UNSOUND USE OFLIMITATION OF LIABILITY PROVISIONSIN EXTERNAL AUDIT ENGAGEMENT LETTERS
Limits on external auditors' liability may weaken the external auditors' objectivity, impartiality, and performance and, thus, reduce the Agencies' ability to rely on Audits. Therefore, certain limitation of liability provisions (described in this Advisory and Appendix A) are unsafe and unsound. In addition, such provisions may not be consistent with the auditor independence standards of the U.S. Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and the American Institute of Certified Public Accountants (AICPA).
While the Agencies have observed several types of limitation of liability provisions in external Audit engagement letters, this Advisory applies to any agreement that a financial institution enters into with its external auditor that limits the external auditor's liability with respect to Audits in an unsafe and unsound manner.
Typically, a written engagement letter is used to establish an understanding between the external auditor and the financial institution regarding the services to be performed in connection with the financial institution's audit. The engagement letter commonly describes the objective of the audit, the reports to be prepared, the responsibilities of management and the external auditor, and other significant arrangements (e.g., fees and billing). The Agencies encourage boards of directors, audit committees, and management to closely review all of the provisions in the audit engagement letter before agreeing to sign. As with all agreements that affect a financial institution's legal rights, legal counsel should carefully review audit engagement letters to help ensure that those charged with engaging the external auditor make a fully informed decision.
While the Agencies have not observed provisions that limit an external auditor's liability in the majority of external audit engagement letters reviewed, they have observed a significant increase in the types and frequency of these provisions. These provisions take many forms, making it impractical to provide an all-inclusive list. This Advisory describes the types of objectionable limitation of liability provisions and provides examples.3
Financial institutions' boards of directors, audit committees, and management should also be aware that certain insurance policies (such as error and omission policies and director and officer liability policies) might not cover losses arising from claims that are precluded by limitation of liability provisions.
LIMITATION OF LIABILITY PROVISIONS
Collectively, these categories of provisions are referred to in this Advisory as "limitation of liability provisions."
Provisions that waive the right of financial institutions to seek punitive damages from their external auditor are not treated as unsafe and unsound under this Advisory. Nevertheless, agreements by clients to indemnify their auditors against any third party damage awards, including punitive damages, are deemed unsafe and unsound under this Advisory. To enhance transparency and market discipline, public financial institutions that agree to waive claims for punitive damages against their external auditors may want to disclose annually the nature of these arrangements in their proxy statements or other public reports.
Many financial institutions are required to have their financial statements audited while others voluntarily choose to undergo such audits.4 For example, banks, savings associations, and credit unions with $500 million or more in total assets are required to have annual independent audits.5 Certain savings associations (for example, those with a CAMELS rating of 3, 4, or 5) and savings and loan holding companies are also required by OTS regulations to have annual independent audits. Furthermore, financial institutions that are public companies6 must have annual independent audits. The Agencies rely on the results of Audits as part of their assessment of the safety and soundness of a financial institution.
In order for Audits to be effective, the external auditors must be independent in both fact and appearance, and must perform all necessary procedures to comply with auditing and attestation standards established by either the AICPA or, if applicable, the PCAOB. When financial institutions execute agreements that limit the external auditors' liability, the external auditors' objectivity, impartiality, and performance may be weakened or compromised, and the usefulness of the Audits for safety and soundness purposes may be diminished.
By their very nature, limitation of liability provisions can remove or greatly weaken external auditors' objective and unbiased consideration of problems encountered in audit engagements and may diminish auditors' adherence to the standards of objectivity and impartiality required in the performance of Audits. The existence of such provisions in external audit engagement letters may lead to the use of less extensive or less thorough procedures than would otherwise be followed, thereby reducing the reliability of Audits. Accordingly, financial institutions should not enter into external audit arrangements that include unsafe and unsound limitation of liability provisions identified in this Advisory, regardless of (1) the size of the financial institution, (2) whether the financial institution is public or not, or (3) whether the external audit is required or voluntary.AUDITOR INDEPENDENCE
Currently, auditor independence standard-setters include the SEC, PCAOB, and AICPA. Depending upon the audit client, an external auditor is subject to the independence standards issued by one or more of these standard-setters. For all credit unions under the NCUA's regulations, and for other non-public financial institutions that are not required to have annual independent audits pursuant to either Part 363 of the FDIC's regulations or § 562.4 of the OTS's regulations, the Agencies' rules require only that an external auditor meet the AICPA independence standards; they do not require the financial institution's external auditor to comply with the independence standards of the SEC and the PCAOB.
In contrast, for financial institutions subject to the audit requirements either in Part 363 of the FDIC's regulations or in § 562.4 of the OTS's regulations, the external auditor should be in compliance with the AICPA's Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff.7 In this regard, in a December 13, 2004, Frequently Asked Question (FAQ) on the application of the SEC's auditor independence rules, the SEC staff reiterated its long-standing position that when an accountant and his or her client enter into an agreement which seeks to provide the accountant immunity from liability for his or her own negligent acts, the accountant is not independent. The FAQ also states that including in engagement letters a clause that would release, indemnify, or hold the auditor harmless from any liability and costs resulting from knowing misrepresentations by management would impair the auditor's independence.8 The SEC's FAQ is consistent with Section 602.02.f.i. (Indemnification by Client) of the SEC's Codification of Financial Reporting Policies. (Section 602.02.f.i. and the FAQ are included in Appendix B.)
Based on this SEC guidance and the Agencies' existing regulations, certain limits on auditors' liability are already inappropriate in audit engagement letters entered into by:
In addition, certain of these limits on auditors' liability may violate the AICPA independence standards. Notwithstanding the potential applicability of auditor independence standards, the limitation of liability provisions discussed in this Advisory present safety and soundness concerns for all financial institution Audits.
ALTERNATIVE DISPUTE RESOLUTION AGREEMENTS AND JURY TRIAL WAIVERS
The Agencies recognize that mandatory ADR procedures and jury trial waivers may be efficient and cost-effective tools for resolving disputes in some cases. Accordingly, the Agencies believe that mandatory ADR or waiver of jury trial provisions in external Audit engagement letters do not present safety and soundness concerns, provided that the engagement letters do not also incorporate limitation of liability provisions. The Agencies encourage institutions to carefully review mandatory ADR and jury trial provisions in engagement letters, as well as any agreements regarding rules of procedure, and to fully comprehend the ramifications of any agreement to waive any available remedies. Financial institutions should ensure that any mandatory ADR provisions in Audit engagement letters are commercially reasonable and:
This Advisory applies to engagement letters executed on or after [INSERT DATE PUBLISHED IN THE FEDERAL REGISTER]. The inclusion of limitation of liability provisions in external Audit engagement letters and other agreements that are inconsistent with this Advisory will generally be considered an unsafe and unsound practice. The Agencies' examiners will consider the policies, processes, and personnel surrounding a financial institution's external auditing program in determining whether (1) the engagement letter covering external auditing activities raises any safety and soundness concerns, and (2) the external auditor maintains appropriate independence regarding relationships with the financial institution under relevant professional standards. The Agencies may take appropriate supervisory action if unsafe and unsound limitation of liability provisions are included in external Audit engagement letters or other agreements related to Audits that are executed (accepted or agreed to by the financial institution) on or after [INSERT DATE PUBLISHED IN THE FEDERAL REGISTER].
4 For banks and savings associations, see Section 36 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and Part 363 of the FDIC's regulations (12 CFR Part 363). For credit unions, see Section 202(a)(6) of the Federal Credit Union Act (12 U.S.C. 1782(a)(6)) and Part 715 of the NCUA's regulations (12 CFR Part 715).
7 See FDIC Regulation 12 CFR Part 363, Appendix A—Guidelines and Interpretations; Guideline 14, Role of the Independent Public Accountant – Independence; and OTS Regulation 12 CFR 562.4(d)(3)(i), Qualifications for independent public accountants.
8 In contrast to the SEC's position, AICPA Ethics Ruling 94 (ET §191.188-189) currently concludes that indemnification for "knowing misrepresentations by management" does not impair independence. On September 15, 2005, the AICPA published for comment its proposed interpretation of its auditor independence standards. In that proposal the AICPA specifically identified limitation of liability provisions that impair auditor independence under the AICPA's standards. Most of the provisions cited in this Advisory were deemed to impair independence in the AICPA's proposed interpretation. At this writing, the AICPA has not issued a final interpretation.
Examples of Unsafe and Unsound Limitation of Liability Provisions
1. "Release from Liability for Auditor Negligence" Provision
Example: In no event shall [the audit firm] be liable to the Financial Institution, whether a claim be in tort, contract or otherwise, for any consequential, indirect, lost profit, or similar damages relating to [the audit firm's] services provided under this engagement letter, except to the extent finally determined to have resulted from the willful misconduct or fraudulent behavior of [the audit firm] relating to such services.
2. "No Damages" Provision
Example: In no event will [the audit firm's] liability under the terms of this Agreement include responsibility for any claimed incidental or consequential damages.
3. "Limitation of Period to File Claim" Provision
Example: It is agreed by the Financial Institution and [the audit firm] or any successors in interest that no claim arising out of services rendered pursuant to this agreement by, or on behalf of, the Financial Institution shall be asserted more than two years after the date of the last audit report issued by [the audit firm].
4. "Losses Occurring During Periods Audited" Provision
Example: In the event the Financial Institution is dissatisfied with [the audit firm's] services, it is understood that [the audit firm's] liability, if any, arising from this engagement will be limited to any losses occurring during the periods covered by [the audit firm's] audit, and shall not include any losses occurring in later periods for which [the audit firm] is not engaged as auditors.
5. "No Assignment or Transfer" Provision
Example: The Financial Institution agrees that it will not, directly or indirectly, agree to assign or transfer any claim against [the audit firm] arising out of this engagement to anyone.
6. "Knowing Misrepresentations by Management" Provision
Example: Because of the importance of oral and written management representations to an effective audit, the Financial Institution releases and indemnifies [the audit firm] and its personnel from any and all claims, liabilities, costs, and expenses attributable to any knowing misrepresentation by management.
7. "Indemnification for Management Negligence" Provision
Example: The Financial Institution shall indemnify, hold harmless and defend [the audit firm] and its authorized agents, partners and employees from and against any and all claims, damages, demands, actions, costs and charges arising out of, or by reason of, the Financial Institution's negligent acts or failure to act hereunder.
8. "Damages Not to Exceed Fees Paid" Provision
Example: [The audit firm] shall not be liable for any claim for damages arising out of or in connection with any services provided herein to the Financial Institution in an amount greater than the amount of fees actually paid to [the audit firm] with respect to the services directly relating to and forming the basis of such claim.
Note: The Agencies also observed a similar provision that limited damages to a predetermined amount not related to fees paid.
SEC's Codification of Financial Reporting Policies, Section 602.02.f.i
and the SEC's December 13, 2004, FAQ on Auditor Independence
Section 602.02.f.i - Indemnification by Client, 3 Fed. Sec. L. (CCH) ¶38,335, at 38,603-17 (2003):
Inquiry was made as to whether an accountant who certifies financial statements included in a registration statement or annual report filed with the Commission under the Securities Act or the Exchange Act would be considered independent if he had entered into an indemnity agreement with the registrant. In the particular illustration cited, the board of directors of the registrant formally approved the filing of a registration statement with the Commission and agreed to indemnify and save harmless each and every accountant who certified any part of such statement, "from any and all losses, claims, damages or liabilities arising out of such act or acts to which they or any of them may become subject under the Securities Act, as amended, or at `common law,' other than for their willful misstatements or omissions."
When an accountant and his client, directly or through an affiliate, have entered into an agreement of indemnity which seeks to assure to the accountant immunity from liability for his own negligent acts, whether of omission or commission, one of the major stimuli to objective and unbiased consideration of the problems encountered in a particular engagement is removed or greatly weakened. Such condition must frequently induce a departure from the standards of objectivity and impartiality which the concept of independence implies. In such difficult matters, for example, as the determination of the scope of audit necessary, existence of such an agreement may easily lead to the use of less extensive or thorough procedures than would otherwise be followed. In other cases it may result in a failure to appraise with professional acumen the information disclosed by the examination. Consequently, the accountant cannot be recognized as independent for the purpose of certifying the financial statements of the corporation. (Emphasis added.)
U.S. Securities and Exchange Commission; Office of the Chief Accountant: Application of the Commission's Rules on Auditor Independence Frequently Asked Questions; Other Matters - Question 4 (issued December 13, 2004):
Q: Has there been any change in the Commission's long standing view (Financial Reporting Policies – Section 600 – 602.02.f.i. "Indemnification by Client") that when an accountant enters into an indemnity agreement with the registrant, his or her independence would come into question?
A: No. When an accountant and his or her client, directly or through an affiliate, enter into an agreement of indemnity that seeks to provide the accountant immunity from liability for his or her own negligent acts, whether of omission or commission, the accountant is not independent. Further, including in engagement letters a clause that a registrant would release, indemnify or hold harmless from any liability and costs resulting from knowing misrepresentations by management would also impair the firm's independence. (Emphasis added.)
[THIS SIGNATURE PAGE PERTAINS TO THE "INTERAGENCY ADVISORY ON THE UNSAFE AND UNSOUND USE OF LIMITATION OF LIABILITY PROVISIONS IN EXTERNAL AUDIT ENGAGEMENT LETTERS."]
Dated: February 1, 2006
By the Office of Thrift Supervision,
John M. Reich (signed)
[THIS SIGNATURE PAGE PERTAINS TO THE "INTERAGENCY ADVISORY ON THE UNSAFE AND UNSOUND USE OF LIMITATION OF LIABILITY PROVISIONS IN EXTERNAL AUDIT ENGAGEMENT LETTERS."]
By order of the Board of Governors of the Federal Reserve System, February 1, 2006.
Jennifer J. Johnson (signed)
[THIS SIGNATURE PAGE PERTAINS TO THE "INTERAGENCY ADVISORY ON THE UNSAFE AND UNSOUND USE OF LIMITATION OF LIABILITY PROVISIONS IN EXTERNAL AUDIT ENGAGEMENT LETTERS."]
Dated at Washington, D.C., the 2nd day of February, 2006.
By order of the Federal Deposit Insurance Corporation.
Robert E. Feldman (signed)
By the National Credit Union Administration Board on January 31, 2006.
Mary F. Rupp (signed)
[THIS SIGNATURE PAGE PERTAINS TO THE "INTERAGENCY ADVISORY ON THE UNSAFE AND UNSOUND USE OF LIMITATION OF LIABILITY PROVISIONS IN EXTERNAL AUDIT ENGAGEMENT LETTERS"]
Dated: February 1, 2006
John C. Dugan (signed)
OTS: 6720-01-P (1/5)
Board: 6210-01-P (1/5)
FDIC: 6714-01-P (1/5)
NCUA: 7535-01-P (1/5)
OCC: 4810-33-P (1/5)
|Last Updated firstname.lastname@example.org|