Get your ducks in a row: how the Sarbanes-Oxley Act has redefined auditor independence

Independence has been redefined--again.

After being prominent on the agendas of standard setters for several years, auditor independence has been redefined again by the SARBANES-OXLEY Act of 2002. In November 2000, the SEC announced changes to its auditor independence rules. In August 2001, the AICPA offered its own solution, followed by the Government Accounting Office in January 2002. With this latest iteration, the accounting profession finds itself at the receiving end of the most uncompromising rules thus far on auditor independence, designed by federal legislators to ensure that the "independent auditor" is truly independent.

The new law represents an overhaul of federal securities regulations not witnessed since the Securities Exchange Act of 1934. Several new provisions will directly affect auditors of public companies, specifically those contained in Titles I and II of the Act.

THE NEW OVERSIGHT BOARD

Title I created a new regulatory body, the Public Company Accounting Oversight Board, a private entity conceived as the solution to perceived deficiencies in the accounting profession's self-regulation. It will oversee the audits of public companies (the "issuers" of securities, or audit client) and enforce compliance with the Act, which includes new independence rules.

To sign off on an audit report, the auditing firm must apply and qualify to be a "registered public accounting firm" with the board. As part of the registration process, the applicant will report certain information, including names of clients that are publicly held, annual fees received, names of all auditors in the firm, and information relating to criminal, civil or administrative actions or proceedings against it.

AUDITING STANDARDS

The Act also empowers the board to establish standards pertaining to auditing, quality control, ethics and independence to be used by registered auditors in discharging their duties. Such standards will include those that the accounting profession proposes, presumably the prevailing professional standards, and may be amended or supplemented by the board in connection with those standards required of registered auditors.

As part of the auditing standards it adopts, the board will set forth specific rules, such as the requirement to prepare audit workpapers "in sufficient detail to support the conclusions reached" in the audit report, and maintain the related audit workpapers for at least seven years. The board also will require a second partner review and approval of the audit report by a "qualified person."

RENEWED IMPORTANCE FOR INTERNAL CONTROLS

Title I elevates internal controls to greater reporting prominence. Now, the audit client will be required to attach an internal control report to its SEC Form 10-K. This report will affirm management's responsibility to establish and maintain effective internal controls and provide an assessment of the effectiveness of those controls.

For auditors, another salient change will be found in the audit report. The audit report now will include a description of the scope of the auditor's testing of the client's internal control structure and procedures. In contrast, SAS 58, Reports on Audited Financial Statements, does not require a reference to the client's internal controls in the audit report itself.

The auditor also will be required to attest to the aforementioned management assessment, and findings from the testing and an appropriate evaluation of such findings will be presented either on the audit report or in a separate report.

The Act does not enumerate specific procedures that the auditor must undertake in connection with its internal control testing, but presumably, the requirements of SAS 55, Internal Control in a Financial Statement Audit, as amended by SAS 78, will serve as the minimum.

The results of the internal control evaluation called for by the Act will include:

* An assessment that the client maintains transaction records in "reasonable detail";

* Reasonable assurance that transactions are recorded such that the resulting financial statements are prepared in accordance with GAAP; and

* A description of material weaknesses and material noncompliance uncovered during the internal control testing.

Presently, in accordance with SAS 60, Communication of Internal Control Related Matters Noted in an Audit, reportable conditions identified in the course of the audit are to be reported to the audit committee, preferably in writing. Furthermore, reportable conditions that the auditor deems to be material weaknesses are not required by SAS 60 to be separately identified and communicated, although the auditor may choose to do so.

Violating the board's rules is equivalent to violating the 1934 Act and, as such, the penalties under the 1934 Act will apply. In addition, intentional or knowing conduct or repeated negligent conduct that results in a violation will lead to a temporary suspension or permanent revocation of registration, and civil money penalties will be no more than $750,000 for individuals, and $15 million for firms.

The board, which will receive "oversight and enforcement authority" from the SEC, is to be fully staffed and operational by the end of April 2003. Mandatory registration with the board will begin 180 days later, and approval will be granted to a qualified applicant no later than 45 days after receipt of the application.

SCOPE OF SERVICES

Title II of the Act is an entire section devoted to auditor independence and prescribes a new set of rules to be effective 180 days after the board is functional and after the auditing firm becomes a registered public accounting firm, roughly in late-2003. The new rules list which non-audit services are unlawful when performed concurrent with the audit-with little room for exceptions.

In addition to prohibited services, the new rules set forth provisions on audit partner rotation and reports to audit committees. The Act does not address independence questions that may arise due to financial relationships between auditor and client but focuses on the scope of services typically provided by auditors.

According to Title II, it will be unlawful for a registered auditing firm to provide the client certain non-audit services "contemporaneously with the audit." These steadfast restrictions are tougher than the SEC's rules since the following services are not permitted under any circumstances:

* Bookkeeping or other services related to the client's accounting records or financial statements;

* Financial information systems design and implementation;

* Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;

* Actuarial services;

* Internal audit outsourcing services;

* Management functions or human resources;

* Broker or dealer, investment adviser or investment banking services; and

* Legal services and expert services unrelated to the audit.

In addition, the Act sets forth a ninth catch-all category, described as "any other service that the board determines, by regulation, is impermissible." While the restrictions are intended to be uncompromising, the board has the authority to grant exemptions on a case-by-case basis if doing so is necessary and serves the interests of the investing public.

AND WHAT ABOUT ... ?

Noticeably missing from the list above are tax services, which will be permissible only if the engagement is approved in advance by the client's audit committee. The Act also requires pre-approval by the audit committee for auditing services and non-audit services not specified above, and may be waived for such non-audit services that meet certain de minimis rules. Auditing services under the Act may include providing comfort letters in connection with the client's securities underwritings and statutory audits for insurance companies.

AUDIT COMMITTEES: ECHOES OF SAS 90

Echoing the essence of SAS 90, Communication with Audit Committees, Title II provides a section of rules titled Auditor Reports to Audit Committees. It requires the auditor to "timely report" certain information to the audit committee, and is undoubtedly intended to enhance the audit committee's effectiveness in fulfilling its own duties under the Act.

For example, the auditor is to communicate "all critical accounting policies and practices to be used." SAS 90 has a similar provision, except it uses the term "significant" as opposed to "critical."

More unequivocal perhaps than SAS 90, the Act is exacting in its requirement for the auditor to "report all alternative treatments of financial information within generally accepted accounting principles that have been discussed with management officials of the client, ramifications [emphasis added] of the use of such alternative disclosures and treatments, and the treatment preferred by the registered public accounting firm."

Lastly, the Act has a provision not covered by SAS 90, which requires that the auditor report to the audit committee "other material written communications" between the auditor and the client. The Act doesn't define "material," but it lists "any management letter or schedule of unadjusted differences" as examples.

Although the Act requires timely reporting of the aforementioned items, it does not characterize what would be considered untimely reporting.

AUDIT PARTNER ROTATION

Other provisions of Title II include a new rule on audit partner rotation, which makes it unlawful for the lead audit partner or the "audit partner responsible for reviewing the audit" to serve in that capacity for more than five successive fiscal years. Presumably, this rule also will apply to the concurring partner.

CONFLICTS OF INTEREST

In the area of conflicts of interest, Title II prohibits the auditing firm from performing the audit if certain key employees of the client were employed by the auditing firm and participated in the audit in the previous year. Those key positions include CEO, CFO, controller, chief accounting officer or any equivalent position.

MANDATORY ROTATION

The Act also addresses "mandatory rotation" of auditing firms and provides that the U.S. comptroller general shall conduct a study pertaining to the potential effectiveness of administering such a concept. A mandatory rotation would impose a limit on the number of years the audit firm may serve as the auditor for the same client. The study will be completed and a report will be submitted to legislators by July 2003.

PULLING IT ALL TOGETHER

With the enactment of the Sarbanes-Oxley Act, the accounting profession now has at least four major sets of independence rules to work with, including those from the SEC, GAO and AICPA. A comparison of provisions pertaining to non-audit services will show that the Sarbanes-Oxley Act sets forth the stringent rules, followed in descending order by the SEC, GAO and AICPA.

Intuitively, the rules to follow will depend on the audit client. If the client is a publicly traded company, the new Act will apply in conjunction with the SEC rules. If the audit client is a government, nonprofit entity or a for-profit entity receiving federal assistance or participating in federal programs, compliance with the GAO's standards (Yellow Book) will be required. An audit of a privately held company will be subject to the AICPA's independence rules.

Whatever the case, the abiding interest in effective auditor independence is always well-founded, as the investing public looks to competent and objective auditors for assurances about financial information.

A. Christine Davis, CPA is a manager of litigation consulting and forensic accounting for Hemming Morse in San Franciso. She can be reached at davisc@hemming.com.

COPYRIGHT 2002 California Society of Certified Public Accountants
COPYRIGHT 2002 Gale Group