This regular feature focuses on topics of critical importance to bank
accounting. Comments on this column and suggestions for future columns
can be e-mailed to SupervisoryJournal@fdic.gov.
The words "independent" and "independence" are often used in conjunction
with the services certified public accountants (CPAs or external auditors)
provide to their clients, including insured depository institutions (banks
or financial institutions). When CPAs and their firms provide certain
services that require them to be independent, such as audits of financial
statements and audits of internal control over financial reporting, they
are referred to as independent public accountants, independent auditors,
or external auditors. But what does "independence" mean when external
auditors provide these services? It is useful for examiners to have an
understanding of the general principles and concepts embodied in "independence"
because examiners are expected to review and evaluate institutions' external
auditing programs. This article summarizes existing professional standards
for auditor independence, including recent developments regarding tax
services and contingent fees as well as the use of limitation of liability
clauses in engagement letters.
The American Institute of Certified Public
Accountants' (AICPA) Conceptual Framework for AICPA Independence Standards (Conceptual Framework) defines independence as
Independence of mind. The state of mind that permits the performance
of an attest service without being affected by influences that compromise
professional judgment, thereby allowing an individual to act with integrity
and exercise objectivity and professional skepticism.
Independence in appearance. The avoidance of circumstances that would
cause a reasonable and informed third party, having knowledge of relevant
information, including safeguards applied, to reasonably conclude that
the integrity, objectivity, or professional skepticism of a firm or
member of the attest engagement team has been compromised.1
For financial institutions, the most common services performed by external auditors that require independence include audits of financial statements, audits of internal control over financial reporting, and attestations on management's assessment of internal control over financial reporting. Therefore, the primary focus of this discussion will be on the independence standards related to financial statement audits and internal control audits/attestations.
Importance of Auditor Independence
Why is it important for the external auditor to be independent? A properly conducted audit provides an independent and objective view of the reliability of a financial institution's financial statements. The external auditor's objective in an audit is to form an opinion on the financial statements taken as a whole. When planning and performing the audit, the external auditor considers the financial institution's internal control over financial reporting. Generally, the external auditor communicates any identified deficiencies in internal control to management, which enables management to take appropriate corrective action. In addition, certain financial institutions are required to file audited financial statements and internal control audit/attestation reports with one or more of the Federal banking agencies.2 The Federal Financial Institutions Examination Council's (FFIEC) Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations3 notes that "an institution's internal and external audit programs are critical to its safety and soundness." The FFIEC's policy statement also says that an effective external auditing program "can improve the safety and soundness of an institution substantially and lessen the risk the institution poses to the insurance funds administered by the Federal Deposit Insurance Corporation."
Many financial institutions are required to have their financial statements audited, and others voluntarily choose to undergo such audits. For example, banks and savings associations with $500 million or more in total assets are required to have annual independent audits.4 Certain savings associations (for example, those with a CAMELS rating of 3, 4, or 5) and savings and loan holding companies are also required by the Office of Thrift Supervision (OTS) regulations to have annual independent audits.5 The Agencies rely on the results of audits as part of their assessment of the safety and soundness of a financial institution.
Reliable financial reports, such as audited financial statements, are necessary for a financial institution to raise capital. They provide data on an institution's financial position and results of operations for stockholders, depositors, and other funds providers, borrowers, and potential investors. Such information is critical to effective market discipline of an institution.
For audits to be effective, the external auditors must be independent in both fact and appearance, and must perform all necessary procedures to comply with auditing and attestation standards established by either the AICPA or, if applicable, the Public Company Accounting Oversight Board (PCAOB).
Currently, the independence standard-setters include the AICPA, the U.S. Securities and Exchange Commission (SEC), and the PCAOB. Depending upon the audit client, an external auditor is subject to the independence standards issued by one or more of these standard-setters. For nonpublic financial institutions6 that are not required to have annual independent audits pursuant to either Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations, the external auditor must comply with the AICPA's independence standards; the financial institution's external auditor is not required to comply with the independence standards of the SEC and the PCAOB.
In contrast, for financial institutions subject to the audit requirements either in Part 363 of the FDIC regulations (i.e., those with $500 million or more in total assets) or in Section 562.4 of the OTS regulations, the external auditor should be in compliance with the AICPA's Code of Professional Conduct and also meet the independence requirements and interpretations of the SEC and its staff. The SEC's independence requirements encompass the independence standards and rules adopted by the PCAOB and approved by the SEC.
For financial institutions and bank holding companies that are public companies,7 regardless of size, the external auditor should be in compliance with the SEC's and the PCAOB's independence standards as well as the AICPA's independence standards.
The table below illustrates the applicability of the AICPA, SEC, and PCAOB independence standards.
Applicability of Independence Standards
AICPA Independence Standards
SEC Independence Standards
PCAOB Independence Standards
Scenario 1 Nonpublic institutions not subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations
Scenario 2 Public and nonpublic institutions subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations
Scenario 3 Institutions and holding companies that are public companies (regardless of size)
The independence standards and interpretations of the AICPA, the SEC, and the PCAOB8 set forth rules and provide guidance regarding many facets of the external auditor's relationship with and performance of services for an audit client, including
which members of the audit engagement team are subject to the independence
rules (referred to as "Covered Members or Persons");
financial relationships of Covered Members/Persons or their immediate
financial interests in nonclients having investor or investee relationships
financial interests of audit firm partners and professional employees,
their immediate families, and close relatives;
employment relationships of the audit firm's partners, professional employees,
and their immediate family and close relatives; and
the performance of nonaudit services to audit clients.
However, while the independence rules and interpretations provide guidance and establish a framework for auditors to follow, they do not-nor were they meant or designed to-consider all circumstances that raise independence concerns.
The AICPA, the SEC, and the PCAOB also require audit firms to have quality controls for their audit practices.9 The AICPA's standards define quality control as "a process to provide the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm's standards of quality."10 The AICPA's standards further set forth five broad elements of appropriate quality control in a public accounting firm, which relate to maintaining independence, integrity, and objectivity; managing personnel; establishing guidelines for accepting and continuing clients; performing engagements; and monitoring the existing quality control policies and procedures.
Audit firms that provide audit/attest services to nonpublic clients are subject to peer reviews performed in accordance with applicable AICPA standards, and audit firms that provide audit/attest services to public clients are subject to inspections performed by the PCAOB.11 Peer reviews and inspections include an examination and/or review of an audit firm's quality controls. However, for any particular audit client, the most visible and apparent independence concerns would be manifested in the services (audit and nonaudit) provided to the client.
AICPA Independence Standards
The AICPA's professional standards require audit firms, including the firms' partners and professional employees, to be independent in accordance with AICPA Rule 101, Independence,12 of the Code of Professional Conduct (Rule 101) whenever an audit firm performs an attest service for a client. Attest services include financial statement audits, financial statement reviews, and other attest services as defined in the AICPA's Statements on Standards for Attestation Engagements. For all financial institution audits (whether the audit is voluntary or required; whether or not the financial institution is subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations; and whether the financial institution is a public or a nonpublic company), the financial institution's external auditor must comply with the AICPA's Independence Standards.
Independence is not required when an audit firm performs services that are not attest services, if those services-for example, tax preparation and consulting services-are the only services an audit firm provides to a particular client. However, Rule 101 requires an auditor to comply with the independence regulations of authoritative regulatory bodies (such as the SEC and state boards of accountancy) when the auditor performs nonattest services for an attest client and is required to be independent of the client under the regulations of the applicable regulatory body. The auditor's failure to comply with the nonattest services provisions contained in the independence rules of the applicable regulatory body that are more restrictive than the provisions of Rule 101 would constitute a violation of Rule 101.
The AICPA's Rule 101 imposes limits on the nature and scope of nonattest services an audit firm may provide to an audit (attest) client. Rule 101 specifically addresses the following nonattest services:
Payroll and other disbursement services,
Internal audit assistance,
Benefit plan administration,
Investment advisory or management services,
Corporate finance consulting or advisory services,
Appraisal, valuation, or actuarial services,
Executive or employee search services,
Business risk consulting, and
Information systems design, installation, or integration.
Before an audit firm performs nonattest services for an audit client, the AICPA's Rule 101 requires the audit firm to meet certain general requirements. If certain nonattest services (for example, internal audit assistance) are to be performed, the audit firm must also satisfy service-specific requirements. In cases where the general or service-specific requirements for nonattest services are not met, the audit firm's independence would be impaired with respect to the attest services the audit firm provides to that audit client.13
The general requirements for performing nonattest services for audit clients under Rule 101 include
The audit firm should not perform management functions or make management decisions for the audit client.
The audit client must agree to perform the following functions in connection with the nonattest services:
Make all management decisions and perform all management functions;
Designate an individual who possesses suitable knowledge and/or experience to oversee the services;
Evaluate the adequacy and results of the services performed;
Accept responsibility for the results of the services; and
Establish and maintain internal controls, including monitoring ongoing activities.
Before performing nonattest services, the audit firm should establish and document the following in writing with the client:
Objectives of the engagement,
Services to be performed,
Client's acceptance of its responsibilities,
Audit firms' responsibilities, and
Any limitation of the engagement.
Internal audit services, sometimes referred to as "internal audit outsourcing," are one of the more common nonaudit services audit firms provide to financial institutions. In evaluating whether independence would be impaired with respect to an audit client that is not a public company and is not subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations, the nature of the internal audit services to be provided to the client needs to be considered.14 Assisting the client in performing financial and operational internal audit activities would impair independence unless the external auditor takes appropriate steps to ensure that the client understands its responsibilities for establishing and maintaining the internal control system and directing the internal audit function, including the management thereof. Accordingly, any outsourcing of the internal audit function to the external auditor whereby the external auditor in effect manages the internal audit activities of the client would impair independence.
In addition to the general requirements of Rule 101 for performing nonattest services for an audit client, the external auditor should ensure that client management
Designates an individual or individuals who possess suitable skill, knowledge, and/or experience to be responsible for the internal audit function;
Determines the scope, risk, and frequency of internal audit activities, including those to be performed by the external auditor providing internal audit assistance services;
Evaluates the findings and results arising from the internal audit activities; and
Evaluates the adequacy of the audit procedures performed and the findings resulting from the performance of those procedures by, among other things, obtaining reports from the external auditor.
As previously indicated, it is impossible to enumerate all circumstances in which the appearance of independence might be questioned. In the absence of an independence interpretation or ruling under the AICPA's rules that addresses a particular circumstance, a member (auditor) should consider whether that circumstance would lead a reasonable person aware of all of the relevant facts to conclude there is an unacceptable threat to the member's and the firm's independence. The AICPA's Conceptual Framework provides a risk-based approach for making that evaluation. The risk-based approach involves three steps: (1) the auditor should identify and evaluate threats to independence; (2) the auditor should determine whether safeguards already eliminate or sufficiently mitigate identified threats and whether threats that have not yet been mitigated can be eliminated or sufficiently mitigated by safeguards; and (3) if no safeguards are available to eliminate an unacceptable threat or reduce it to an acceptable level, the auditor should conclude that independence would be considered impaired.15
Many different circumstances (or combinations of circumstances) can create threats to an auditor's independence. It is impossible to identify every situation that threatens independence. However, seven broad categories of threats should always be evaluated when threats to independence are being identified and assessed. They are (1) self review (auditors reviewing the results of their own nonattest work); (2) advocacy (actions by the auditor to promote the client's interests or position); (3) adverse interest (actions or interests between the auditor and the client that are in opposition); (4) familiarity (auditors having a close or long-standing relationship with an attest client); (5) undue influence (attempts by the client's management to coerce or exercise excessive influence over the auditor); (6) financial self-interest (potential benefit to the auditor from a financial interest in, or from some other financial relationship with the client); and (7) management participation (the auditor taking the role of client management or performing management functions on behalf of the client).16
SEC Independence Standards
The SEC's independence rules are set forth in Rule 2-01 of Regulation S-X (Rule 2-01).17 Rule 2-01 was amended in January 2003 by Release No. 33-8183, Strengthening
the Commission's Requirements Regarding Auditor Independence, to fulfill the mandate of Title II of the Sarbanes-Oxley Act of 2002. To assist practitioners in complying with the SEC's independence rules, the SEC's Office of the Chief Accountant has also issued and periodically updates a document titled Application
of the Commission's Rules on Auditor Independence-Frequently Asked Questions.
Unlike the AICPA's independence rules, the SEC's independence rules provide that an accountant is not independent if, at any point during the audit and professional engagement period,18 the accountant provides any of the following nonaudit services to an audit client:
Bookkeeping or other services related to the accounting records or financial statements of the audit client;
Financial information systems design and implementation;
Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
Internal audit outsourcing services;
Human resources services;
Broker-dealer, investment adviser, or investment banking services;
Legal services; or
Expert services unrelated to the audit.
The SEC's rules state that bookkeeping, financial information systems design and implementation, appraisal or valuation services, actuarial services, and internal audit outsourcing services are prohibited "unless it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client's financial statements."19 This limited exception to the general prohibition regarding nonaudit services is quite narrow in the SEC's view, establishing a rebuttable presumption that these services are subject to audit procedures. In other words, the SEC presumes that, when an accountant audits an audit client's financial statements, the accountant will end up auditing the work he or she performed when rendering the aforementioned nonaudit services for the audit client.
Like the AICPA's independence rules, the SEC's independence rules do not purport
to consider all circumstances that raise independence concerns. In this regard,
the SEC considers whether a relationship or the provision of a service (a)
creates a mutual or conflicting interest between the accountant and the audit
client (b) places the accountant in a position of auditing his or her own work
(c) results in the accountant acting as management or an employee of the audit
client or (d) places the accountant in a position of being an advocate for
the audit client.
The SEC will not recognize an accountant as independent,
with respect to an audit client, if the accountant is not, or a reasonable
investor with knowledge of all relevant facts and circumstances would conclude
that the accountant is not, capable of exercising objective and impartial judgment
on all issues encompassed within the accountant's engagement. In determining
whether an accountant is independent, the SEC will consider all relevant circumstances,
including relationships between the accountant and the audit client, and not
just those relating to reports filed with the SEC.
PCAOB Independence Standards
Title I of the Sarbanes-Oxley Act of 2002 established the PCAOB and charged
it with the responsibility of overseeing the audits of public companies that
are subject to the U.S. Federal securities laws. Only accounting firms that
register with the PCAOB (registered public accounting firms) may audit public
companies. The PCAOB's duties include the establishment of auditing, quality
control, ethics, independence, and other standards relating to public company
The PCAOB adopted all of the independence standards described in the
AICPA's Code of Professional Conduct Rule 101, and the interpretations and
rulings thereunder, as in existence on April 16, 2003, as the PCAOB's Interim
Independence Standards. These Interim Independence Standards also include Standards
Nos. 1, 2, and 3 and Interpretations 99-1, 00-1, and 00-2 of the former Independence
Standards Board. Generally, this means that the PCAOB applies the independence
standards/principles discussed under the "AICPA Independence Standards" section
of this article to registered public accounting firms.
The PCAOB's Interim
Independence Standards do not supersede the SEC's auditor independence rules.
Therefore, to the extent that a provision of the SEC's rules is more or less
restrictive than a provision of the PCAOB's Interim Independence Standards,
a registered public accounting firm must comply with the more restrictive rule.
The PCAOB's interim standards will remain in effect until modified or superseded,
either by PCAOB action approved by the SEC, or by SEC action pursuant to its
independent authority under the Federal securities laws to establish independence
standards for auditors of public companies.
Recent Developments in Auditor Independence
Recent AICPA Developments
On September 8, 2006, the AICPA's Professional Ethics Executive Committee (PEEC) re-exposed its Proposed Interpretation 101-16 under Rule 101: Indemnification, Limitation of Liability, and ADR Clauses in Engagement Letters. The comment period for the revised Exposure Draft (ED) ended on December 8, 2006. The AICPA's initial ED on this subject was issued on September 15, 2005.
The revised ED is significantly different from the September 2005 ED. The revised ED has an underlying principle that would permit external auditors to include indemnification and limitation of liability provisions in audit engagement letters if such provisions are contingent upon the related services being performed in compliance with professional standards, in all material respects. However, the revised ED would also permit certain indemnification and limitation of liability provisions to be included in audit engagement letters and not be subject to the underlying principle. For example, under the revised ED, the audit client could waive the right to seek punitive damages and indemnify the auditor for third-party punitive damage awards, the time period for the client to file a claim for damages could be limited, and the client's right to assign or transfer a claim could be limited.
On February 3, 2006, the Federal banking agencies, together with the National Credit Union Administration, issued an Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters.20 The Interagency Advisory applies to audit engagement letters executed on or after February 9, 2006, and provides that the inclusion of indemnification and limitation of liability provisions in external audit engagement letters will generally be considered an unsafe and unsound practice. Appendix A of the Interagency Advisory contains examples of unsafe and unsound limitation of liability provisions.
While the Interagency Advisory addresses indemnification and limitation of liability from a safety and soundness perspective, rather than from an auditor independence perspective, it is fairly consistent with the PEEC's September 2005 ED. However, the PEEC's September 2006 revised ED is generally inconsistent with its September 2005 ED and the Interagency Advisory.
Recent PCAOB Developments
On April 19, 2006, the SEC approved the PCAOB's proposed ethics and independence rules concerning independence, tax services, and contingent fees. These rules have varying effective dates, most of which are in 2006.
Besides establishing general rules with respect to ethics and independence, these new PCAOB rules restrict certain types of tax services a registered public accounting firm may provide to an audit client and certain members of the client's management, and prohibit contingent fee arrangements for any services a registered public accounting firm provides to an audit client, in order for the firm to maintain its independence with respect to that client. Nonpublic financial institutions subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations and their auditors should note that these new independence rules from the PCAOB apply to institutions' external auditors.
Auditor independence is the cornerstone for CPAs and audit firms that provide audit/attestation services to financial institutions. Sometimes concerns regarding an auditor's independence with respect to a specific audit client are "black and white" and a decision as to whether the auditor's independence is impaired can be reached rather easily. However, many times, the resolution of concerns regarding auditor independence requires a thorough and complete analysis of all of the relevant facts and circumstances before a conclusion can be made. In the end, ensuring auditor independence is a responsibility of both the auditor and the client financial institution.
Accordingly, as noted in the February 2006 Interagency Advisory and the 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations, examiners should consider an institution's policies and processes surrounding its external auditing program, including those for determining whether the auditor maintains appropriate independence in its relationship with the institution under applicable professional standards, when they evaluate the institution's program. Examiners should also review external audit engagement letters to determine whether they include any limitation of liability provisions of the types that are deemed unsafe and unsound by the Interagency Advisory.
Harrison E. Greene, Jr. CPA, CBA, Accounting and Securities Disclosure Section
2 The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), collectively referred to as the Agencies.
3 Published in the Federal
Register on September 28, 1999 (64 FR 52319).
4 See Section 36(d) of the Federal Deposit Insurance Act (12 U.S.C. 1831m) and Sections 363.1(a) and 363.2(a) of Part 363 of the FDIC's regulations (12 CFR 363).
5 See OTS regulation at 12 CFR 562.4.
6Nonpublic financial institutions are companies that are not, or whose parent companies are not, subject to the reporting requirements of the Securities Exchange Act of 1934.
7 Public companies are companies, or subsidiaries of companies, that are subject to the reporting requirements of the Securities Exchange Act of 1934.
8For the AICPA, refer to the AICPA's Code of Professional Conduct, ET Section 101, Independence; ET Section 191, Ethics Rulings on Independence, Integrity, and Objectivity; and Interpretations under Rule 101 - Independence. For the SEC, refer to Rule 2-01 of Regulation S-X (17 CFR Section 210.2-01); the Codification of Financial Reporting Policies - Section 600 - Matters Relating to Independent Accountants; and the Office of the Chief Accountant's Frequently Asked Questions: Application of the Commission's Rules on Auditor Independence. See www.sec.gov/info/accountants/ocafaqaudind121304.htm. For the PCAOB, refer to the following PCAOB Rules and Professional Standards: Rule 3500T-Interim Ethics Standards; Rule 3520-Auditor Independence; Rule 3521-Contingent Fees; Rule 3522-Tax Transactions; Rule 3523-Tax Services for Persons in Financial Reporting Oversight Roles; Rule 3524-Audit Committee Pre-approval of Certain Tax Services; and Rule 3600T-Interim Independence Standards. See www.pcaobus.org/Rules/Rules
9 For the AICPA, refer to its Quality Control (QC) Standards, QC Section 20-System of Quality Control for a CPA Firm's Accounting and Auditing Practice; QC Section 30-Monitoring a CPA Firm's Accounting and Auditing Practice; and QC Section 40-The Personnel Management Element of a Firm's System of Quality Control-Competencies Required by a Practitioner-in-Charge of an Attest Engagement. On July 28, 2006, the AICPA's Auditing Standards Board issued an Exposure Draft of a proposed Statement of Quality Control Standards that will replace all the existing QC Standards. For the SEC, refer to Rule 2-01(d) of Regulation S-X. For the PCAOB, refer to Rule 3400T-Interim Quality Control Standards-of its Rules and Professional Standards.
10 Refer to QC Section 20.03 of the AICPA's QC Standards.
12 ICPA, Professional
Standards, ET Section 101.01.
13 AICPA, Professional
Standards, ET Section 101.05.
14 For audit clients that are public companies or that are subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations, internal audit outsourcing to the external auditor is generally impermissible under the SEC's independence rules.
15 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 5.
16 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraphs 12 to 19.
17 See 17 CFR 210.2-01.
18 Under Rule 2-01(f)(5), the audit and professional engagement period includes both: (1) the period covered by any financial statements being audited or reviewed (the "audit period"); and (2) the period of the engagement to audit or review the audit client's financial statements to prepare a report filed with the SEC (the "professional engagement period"). The professional engagement period begins when the accountant either signs an initial engagement letter (or other agreement to review or audit a client's financial statements) or begins audit, review, or attest procedures, whichever is earlier; and the professional engagement period ends when the audit client or the accountant notifies the SEC that the client is no longer that accountant's audit client.
19 19 See Rule 2-01(c)(4)(i) through (v) of SEC Regulation S-X (17 CFR 210-01).