To the rescue: the ACFE: is it a bird? A plane? Alan Greenspan?

A child took a pencil from my desk, so now all your mommies and daddies must buy lead detection devices, and you must wear them at all times.

But Ms. Fixitquik, the girl who stole your pencil isn't even in our class.

No matter--at least we won't have to worry about any of you stealing pencils.

But Ms. Fixitquik, they're awful heavy.

You'll get used to it. Remember how you never thought you'd get used to collars that keep you from wandering off? No one has gotten shocked recently ...

Sometimes it feels like our regulators and legislators don't think through the whole risk/reward equation. We know it's important to manage the risks we face, but we resent it when the price tag of each new initiative is foisted on everyone. A fraud uncovered in several large companies has repercussions not only for all companies but for their lending institutions as well. But there it is. And it's not like a few banks haven't had frauds of their own.

As one of its provisions, the Sarbanes-Oxley Act (SOX) of 2002 is expanding its expectations for the financial expert, a person many companies and their financial institutions already have on their audit committees. Now, many explicit and implicit costs arise in attracting and retaining such experts, and committee members and their banks may face increased liabilities as well. This article discusses SOX Section 407's effects on the banking industry, including the financial expert's possibly increased legal liability, available safe harbors, and expected education and experience attributes. The article also offers methods to attract and train bank audit committee financial experts (ACFEs). Banks need to know that their customers are in compliance and that their own institutions are in compliance.

Action: WorldCom, Global Crossing, Enron, and scared shareholders.

Reaction: Sarbanes-Oxley Act (SOX) of 2002. Originally called the Public Company Accounting Reform and Investor Protection Act, SOX seeks to restore investor confidence by improving corporate governance of U.S. public companies, holding implications for bank customers and shareholders alike. As has been amply demonstrated, an act of fraud has many, many victims, and financial institutions with interests in WorldCom or other such companies have suffered huge financial and reputational losses. While onerous for financial institutions and their customers, the provisions make sense. Generally addressing financial reporting and disclosure, conflicts of interest, and corporate governance, SOX especially affects the audit process. For example:

* It sets procedures to address complaints regarding accounting practices.

* It assesses the aggressiveness or conservativeness of a firm's accounting policies and how such policies affect the firm's financial posture.

* It evaluates such accounting judgmental areas as company reserves and contingencies.

* It reviews management's handling of proposed auditor adjustments.

* It assesses the "quality" of the financial statements, not just their acceptability.

* It mandates that companies' audit committees contain only independent directors, who in turn appoint and compensate the outside auditors and oversee their work.

* It mandates that audit committees should contain at least one member designated as an audit committee financial expert (ACFE).

Congress asked the Securities and Exchange Commission to implement SOX's key provisions and, in the process, to define a financial expert. The SEC did so in 2003, requiring that an ACFE:

* Understands generally accepted accounting principles (GAAP) and financial statements.

* Has the ability to assess the general applications of such principles in connection with accounting for estimates, accruals, and reserves.

* Has experience in preparing, auditing, analyzing, and evaluating adequately complex financial statements (relative to the industry) or supervising those engaged in such activities.

* Understands internal controls and procedures for financial reporting.

* Understands audit committee functions.

Moreover, the ACFE must demonstrate the following attributes:

* Education and experience as a principal financial or accounting officer, controller, public accountant, or other similar professional.

* Experience in overseeing or assessing the performance of companies or public accountants with respect to the preparation, auditing, or evaluation of financial statements.

* Other relevant experience. (1)

While SOX's provisions legally bind only public companies, its cascade effects led many nonpublic and governmental entities to follow many of its provisions to improve their own financial reporting processes. On March 5, 2003, the FDIC issued a Financial Institution Letter to provide guidance to insured banks and other financial institutions in adopting key SOX provisions, especially in defining ACFE, which under SOX Section 407 should strengthen corporate bank governance, protect shareholder interests, and thus increase shareholder value and provide better accounting reviews. Boards of directors of financial institutions should now either identify all of their ACFEs or disclose that they have no ACFE, as part of their annual reports on Forms 10-K, 10-KSB, 20-F, or 40-F.

Sarbanes-Oxley Section 407 Provisions

The goal of SOX Section 407 is to strengthen financial reporting, buttress corporate governance, protect shareholders' interests, and thus increase shareholder value. That's a tall order, but a good one. Section 407 originally defined "audit committee financial experts" based primarily on whether the directors had prior accounting-related experience with SEC financial reporting, or had work experience as a public accountant, auditor, principal financial or accounting officer, or controller. Section 407 also increased the demand for CPAs to serve on corporate audit committees, especially experts. Given CPAs' many accounting-specific duties, expertise would help assure a relatively high degree of accounting sophistication. But how can companies find (and afford) such a person? So the SEC broadened its definition, extending the field of qualified experts to encompass company presidents and chief financial officers, who, by virtue of their positions, supervise financial and accounting officers and other overseers of company performance.

The SEC's January 23, 2003 final rule requires the ACFE to:

* Understand GAAP, financial statements, internal controls, procedures for financial reporting, and audit committee functions.

* Assess the general application of such principles in connection with the accounting estimates, accruals, and reserves.

* Have experience in preparing, auditing, analyzing, or evaluating financial statements that present a broad array of complex accounting issues, or in actively supervising those engaged in such activities.

Increased Liability to Safe Harbor to ... It Gets Confusing

Many CPAs and other financial experts with experience in public practice and industry have the attributes to qualify as ACFEs; however, attracting them to serve on such committees is often difficult, especially given their potentially increased liabilities under such provisions as Section 11 of the SEC Act of 1933, breach of duty of loyalty, and State breach of duty. To encourage qualified individuals to become ACFEs, the SEC established some safe-harbor provisions. Since ACFEs are not "experts" under Section 11 of the SEC Act of 1933, they do not face higher due diligence standards from issuers' registration statements arising from their financial expert designation. The safe-harbor rules clarify that ACFE designations do not invest such committee members with any greater duties or obligations than any other committee or board members, nor do they affect the duties and responsibilities of other board members.

However, plaintiffs could evade the SEC's rulings by asserting that Congress required this "expert" designation to enhance shareholders' confidence in relying on the designation and knowledge of such a director regarding purchasing securities. Thus, such experts had an enhanced duty to perform commensurately with their expertise. Moreover, these federal securities law exemptions create no protection under state corporation law.

Plaintiffs must prove reliance on the financial statements under Section 11(a), but not under Section 11(b) of the federal Securities Act. Because ACFEs typically have skills or expertise similar to those of their peer directors regarding portions of the registration statements that their companies' accountants review, they face no additional liabilities. (2) Moreover, ACFEs, like all other directors, can minimize their potential liabilities by showing that they "reasonably investigated" the financial information as prudent people would manage their own properties.

But under state law, board members and ACFEs face two primary sets of fiduciary duties--the duty of loyalty and the duty of care. Breaches of the duty of loyalty involve directors benefiting themselves by acting adversely to the companies' interests. Statutes and case law offer little protection for directors violating this duty of loyalty. Breach of the duty of care, however, involves situations where directors act to damage the corporation without receiving personal benefits. Directors should follow the Model Business Corporation Act, which requires them to act in good faith, in a manner that they believe reasonably serves the corporation's best interests, and to discharge their responsibilities as persons would reasonably believe appropriate under similar circumstances. Moreover, under the business judgment rule, directors can minimize their liabilities when they can show that they acted in good faith and reasonably believed they served the corporation's best interests.

Corporate charters can relieve directors from financial liability for breaches of their duty of care, especially when confirmed with proper proxy statement disclosures. For example, Aurora Foods' proxy states that "the Audit and Compliance Committee members are not professionally engaged in the practice of accounting or auditing and are not experts in the fields of accounting or auditing." Similarly, the American Law Institute's Principles of Corporate Governance observes that the nature and extent of the functions for directors to perform will vary with their imposed tasks by law, by the corporation, or voluntarily assumed, while recognizing the directors' special skills, background, and expertise.

Thus, under both federal and state laws, the substance of the directors' special skills, background, or experience become much more important than any formal "expert" designations for purposes of potential legal liability. Directors should be judged on their actions rather than on their mere designations, although designated experts cannot easily deny such financial expertise. (3)

Section 407 and Other SOX Rules: Application in the Banking Industry

Banks, as mentioned, have dual concerns--their own institutions as well as those of their customers or third parties.

The SOX rules require public and nonpublic banks whose assets exceed $500 million to adhere to the annual audit and reporting requirements of Section 36 of the FDI Act. Section 36 and Part 363 require annual audits; annual reports including statements on management's responsibility to prepare annual financial statements, adequate internal controls, compliance with laws and regulations, and management's assessment of the effectiveness of internal controls and compliance; and certain audit committee requirements.

In March 2003, the FDI issued guidance explaining how banks with assets under $500 million should apply SOX provisions, and the Federal Reserve Board, Office of the Comptroller, and Office of Thrift Supervision issued similar guidance separately a few months later. Such guidance "encourages" prohibitions on internal audit outsourcing, incorporating audit partner rotation and auditor reporting practices, preapproval of audit services by audit committees, use of engagement letters, and adoption of codes of ethics. However, the FDIC "does not expect" banks to disclose if they have an ACFE. The FDIC recognizes that small, community banks might have difficulties following Section 407 and suggests that a bank "consider implementing [SOX rules] to the extent feasible given its size, complexity, and risk portfolio."

In his book New Sarbanes-Oxley Act Guidance for Banks, James M. Koltveit writes that small banks may be able to implement the above provisions by, for example:

* Exercising audit partner rotation and "time out" periods when nonlocal accounting firms (i.e., fewer than 10 partners) perform external audits.

* Establishing mechanisms for employees to anonymously submit concerns directly to audit committees about questionable accounting, internal accounting, controls, or auditing matters.

* Making all material correcting adjustments identifiable to external auditors.

* Adopting codes of ethics for senior financial officers or documenting the reasons for not doing so in the board's minutes.

Training, Attracting, and Retaining ACFEs

SOX Section 407 has increased greatly the demand for qualified independent directors to serve as financial experts. To identify potentially qualified ACFEs, the full board should consider such factors as committee members' formal education (e.g., in accounting and finance) and experience; CPA, CMA, CBA, and other professional designations; and proven high levels of personal and professional integrity. They should also consider such qualitative factors as the director's time in grade as an accounting or financial expert; service as a CFO, controller, principal of a bank, or other accounting officer; other experience with laws and regulations applicable to--and experience in preparing, reviewing, auditing, or analyzing--public company financial statements; memberships on public-company audit committees; and other proven abilities to make knowledgeable and thorough inquiries as to whether the financial statements are fairly presented, in accordance with GAAP.

Again, banks are concerned about accounting practices on two levels--their own and those of their customers. Because the ACFE is selected by a company's board and not by the bank, it follows that the bank must have an understanding of the competence and integrity of that company's board. If the board seems lacking, this is the financial institution's cue to monitor its customer more carefully and perhaps also guide its actions in respect to Section 407. Banks may choose to use, and recommend that their customers use, the AICPA's Self-Assessment Tool (www.aicpa.org/ audcommctr/toolkits/02.htm) to ascertain the candidates' financial competence. AICPA member institutions also can use the organization's audit committee matching system to help fulfill each other's ACFE personnel needs.

While Section 407 requires ACFE to demonstrate a high level of financial literacy, many schools and colleges--even those with five-year accounting/CPA programs--often fail to prepare proper candidates for these challenges. Institutions and even continuing education programs should focus on such key issues as emerging provisions and regulations, as well as financial analytical, financial forensic, technical, leadership, and managerial accounting skills development. Of course, work experience should supplement needed skills beyond such courses.

Companies should expect to increase the rewards for the ACFE, including increased annual retainers, attendance fees for continuing education, and more stock options. A survey from Protiviti notes a 4% increase in both annual retainers to board members and board attendance fees, now averaging $29,350, with 90% of companies paying a retainer. Banks and their customers may even need to pay recruiters for help in finding and screening ACFE.

Another cost will be increased premiums for directors and officers (D&O) liability insurance. A February 2004 article by Koehn and Del Vecchio reports premiums for D&O insurance, if obtainable, ballooning by 100-400%. Moreover, many D&O insurance companies can seek not to pay on director claims or can cancel policies when companies restate prior financial statements. These costs underlie the importance of obtaining qualified ACFE and performing quality audits.

Can Anyone Be an ACFE?

The SEC's guidelines for finding a qualified ACFE are both useful and daunting. Useful since they should help strengthen the financial reporting process, and daunting since finding such experts may become very difficult. It makes you wonder, as did Protiviti, if such highly respected business leaders as Alan Greenspan or Warren Buffett would qualify as financial experts.

Notes

(1) "SEC Issues Rules on Audit Committee Financial Experts," Nutter Client Advisory, April 2003, www.nutter.com/news/images/sarbanes9.pdf.

(2) Conwell, Chad, "Increased Liability for 'Audit Committee Financial Experts?'" Client Alert, June 2003, www.fei.org/download/client_alert_06_25 _03.pdf.

(3) Ibid.

Other References

Principles of Corporate Governance, American Law Institute, 1992, p. 151.

"Applicability of the Provisions of the Sarbanes-Oxley Act of 2002 to Insured Depository Institutions," Corporate Alert, Blank Rome LLP, www.blankrome.com/publications/lealert/ corpOct03-1.asp.

DeFond, Mark L., Harm, Rebecca N., and Hu, Xuesong, "Does the Market Value Financial Expertise on Audit Committees of Board of Directors?" January 2004, a white paper from the Leventhal School of Accounting, www.marshall.usc. edu/media/facultyResearch/ExpertiseAuditCom.pdf.

Eller, Brent, "Final SEC Rule Regarding Disclosure of Audit Committee Financial Expert under Section 407 of Sarbanes-Oxley," Corporate Finance Advisory Bulletin, Davis Wright Tremain LLP, February 2003, www.dwt.com/practc/corp_ fin/bulletins/02-03FinalSEC(print).htm.

Countryman, A. (January 21, 2003), "SEC Adopts Boarder Definition of 'Financial Expert'," Chicago Tribune, January 21, 2003, http://accounting.smartpros.com/x36749.xml.

Garrison, Chad, "Spotlight on Audit Committees," St. Louis Business Journal, August 2, 2002, www.bizjournats.com/stlouis/stories/2002/08/05/s tory3.html.

Grandstrand, Karen L., "SOX and Beyond," March 2004, Fredrickson & Byron PA, www.fredlaw.com/ articles/banking/bank_0403_klg.html.

Koehn, Jo Lynn, and Del Vecchio, Stephen C., "Ripple Effects of the Sarbanes-Oxley Act," The CPA Journal, February 2004, pp. 36-38.

Koltveit, James T., "New Sarbanes-Oxley Act Guidance for Banks," Banker's Ideanet, March 2003, www.sheshunoff.com/email/archive/0303/ finance_new1.html.

Koltveit, James T., "Reviewing Your Bank's Audit Committee Charter," Banker's Ideanet, September 2003, www.sheshunoff.com/email/archive/0903/ finance_new1.html.

"SEC Adds Flexibility to Audit Committee 'Financial Expert' Definition," Protiviti's Knowledge Leader, February 2003, www.knowledgeleader.com.

Westfall, Christopher, "Audit Committees, Candidates Ease into S-O Expert Rules," June 17, 2004, KPMG's Banking Insider Focus, www.kpmginsiders.com/display_analysis.asp?cs id=105725.

Alan Reinstein may be contacted by e-mail at a.reinstein@wayne.edu.

Dr. Alan Reinstein, CPA, is the George R. Husband Professor of Accounting at Wayne State University. A frequent contributor to The RMA Journal and other publications, Reinstein's consulting and writing experience includes the areas of audit committees and other professional issues.

COPYRIGHT 2004 The Risk Management Association
COPYRIGHT 2005 Gale Group