Accounting News: Auditor Independence

Accounting News: Auditor Independence

This regular feature focuses on topics of influences that compromise critical importance to bank accounting. professional judgment, thereby Comments on this column and sugges- allowing an individual to act tions for future columns can be e-mailed with integrity and exercise to [email protected]. objectivity and professional skepticism. he words “independent” and “independence” are often used b. Independence in appearance. Tin conjunction with the services The avoidance of circumstances certified public accountants (CPAs or that would cause a reasonable external auditors) provide to their and informed third party, clients, including insured depository having knowledge of relevant institutions (banks or financial institu- information, including safe- tions). When CPAs and their firms guards applied, to reasonably provide certain services that require conclude that the integrity, them to be independent, such as audits objectivity, or professional skep- of financial statements and audits of ticism of a firm or member of internal control over financial reporting, the attest engagement team has they are referred to as independent been compromised.1 public accountants, independent audi- For financial institutions, the most tors, or external auditors. But what does common services performed by external “independence” mean when external auditors that require independence auditors provide these services? It is include audits of financial statements, useful for examiners to have an under- audits of internal control over financial standing of the general principles and reporting, and attestations on manage- concepts embodied in “independence” ment’s assessment of internal control because examiners are expected to over financial reporting. Therefore, the review and evaluate institutions’ exter- primary focus of this discussion will be nal auditing programs. This article on the independence standards related summarizes existing professional stan- to financial statement audits and internal dards for auditor independence, includ- control audits/attestations. ing recent developments regarding tax services and contingent fees as well as the use of limitation of liability clauses Importance of Auditor in engagement letters. Independence The American Institute of Certified Why is it important for the external Public Accountants’ (AICPA) Concep- auditor to be independent? A properly tual Framework for AICPA Indepen- conducted audit provides an independ- dence Standards (Conceptual ent and objective view of the reliability Framework) defines independence as of a financial institution’s financial state- a. Independence of mind. The ments. The external auditor’s objective state of mind that permits the in an audit is to form an opinion on the performance of an attest serv- financial statements taken as a whole. ice without being affected by When planning and performing the

1 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 6. The Conceptual Framework for AICPA Independence Standards was adopted by the AICPA’s Professional Ethics Executive Committee (PEEC) on January 30, 2006, and is available on the AICPA’s website. See www.aicpa.org/download/ ethics/Ethics_Interpretation_101-1_and_Conceptual_Framework.pdf.

33 Supervisory Insights Winter 2006 Accounting News continued from pg. 33

audit, the external auditor considers the cies rely on the results of audits as part financial institution’s internal control of their assessment of the safety and over financial reporting. Generally, the soundness of a financial institution. external auditor communicates any iden- Reliable financial reports, such as tified deficiencies in internal control to audited financial statements, are neces- management, which enables manage- sary for a financial institution to raise ment to take appropriate corrective capital. They provide data on an institu- action. In addition, certain financial insti- tion’s financial position and results of tutions are required to file audited finan- operations for stockholders, depositors, cial statements and internal control and other funds providers, borrowers, audit/attestation reports with one or and potential investors. Such information more of the Federal banking agencies.2 is critical to effective market discipline of The Federal Financial Institutions Exami- an institution. nation Council’s (FFIEC) Interagency Policy Statement on External Auditing For audits to be effective, the external Programs of Banks and Savings Associa- auditors must be independent in both tions3 notes that “an institution’s internal fact and appearance, and must perform and external audit programs are critical all necessary procedures to comply with to its safety and soundness.” The auditing and attestation standards estab- FFIEC’s policy statement also says that lished by either the AICPA or, if applica- an effective external auditing program ble, the Public Company Accounting “can improve the safety and soundness Oversight Board (PCAOB). of an institution substantially and lessen the risk the institution poses to the insur- ance funds administered by the Federal Independence Deposit Insurance Corporation.” Standard-Setters Many financial institutions are Currently, the independence standard- required to have their financial state- setters include the AICPA, the U.S. ments audited, and others voluntarily Securities and Exchange Commission choose to undergo such audits. For (SEC), and the PCAOB. Depending example, banks and savings associa- upon the audit client, an external audi- tions with $500 million or more in total tor is subject to the independence stan- assets are required to have annual inde- dards issued by one or more of these pendent audits.4 Certain savings asso- standard-setters. For nonpublic finan- ciations (for example, those with a cial institutions6 that are not required CAMELS rating of 3, 4, or 5) and to have annual independent audits savings and loan holding companies are pursuant to either Part 363 of the FDIC also required by the Office of Thrift regulations or Section 562.4 of the OTS Supervision (OTS) regulations to have regulations, the external auditor must annual independent audits.5 The Agen- comply with the AICPA’s independence

2 The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), collectively referred to as the Agencies. 3 Published in the Federal Register on September 28, 1999 (64 FR 52319). 4 See Section 36(d) of the Federal Deposit Insurance Act (12 U.S.C. 1831m) and Sections 363.1(a) and 363.2(a) of Part 363 of the FDIC’s regulations (12 CFR 363). 5 See OTS regulation at 12 CFR 562.4. 6 Nonpublic financial institutions are companies that are not, or whose parent companies are not, subject to the reporting requirements of the Securities Exchange Act of 1934.

34 Supervisory Insights Winter 2006 standards; the financial institution’s For financial institutions and bank hold- external auditor is not required to ing companies that are public compa- comply with the independence stan- nies,7 regardless of size, the external dards of the SEC and the PCAOB. auditor should be in compliance with the SEC’s and the PCAOB’s independence In contrast, for financial institutions standards as well as the AICPA’s inde- subject to the audit requirements either pendence standards. in Part 363 of the FDIC regulations (i.e., those with $500 million or more in total The table below illustrates the applica- assets) or in Section 562.4 of the OTS bility of the AICPA, SEC, and PCAOB regulations, the external auditor should independence standards. be in compliance with the AICPA’s Code of Professional Conduct and also meet the independence requirements and Independence Standards interpretations of the SEC and its staff. The independence standards and inter- The SEC’s independence requirements pretations of the AICPA, the SEC, and encompass the independence standards the PCAOB8 set forth rules and provide and rules adopted by the PCAOB and guidance regarding many facets of the approved by the SEC. external auditor’s relationship with and

Applicability of AICPA SEC PCAOB Auditor Independence Independence Independence Independence Standards Standards Standards Standards Scenario 1 Nonpublic institutions YES NO NO not subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations Scenario 2 Public and nonpublic YES YES YES institutions subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations Scenario 3 Institutions and holding YES YES YES companies that are public companies (regardless of size)

7 Public companies are companies, or subsidiaries of companies, that are subject to the reporting requirements of the Securities Exchange Act of 1934. 8 For the AICPA, refer to the AICPA’s Code of Professional Conduct, ET Section 101, Independence; ET Section 191, Ethics Rulings on Independence, Integrity, and Objectivity; and Interpretations under Rule 101 - Indepen- dence. For the SEC, refer to Rule 2-01 of Regulation S-X (17 CFR Section 210.2-01); the Codification of Financial Reporting Policies - Section 600 - Matters Relating to Independent Accountants; and the Office of the Chief Accountant’s Frequently Asked Questions: Application of the Commission’s Rules on Auditor Independence. See www.sec.gov/info/accountants/ocafaqaudind121304.htm. For the PCAOB, refer to the following PCAOB Rules and Professional Standards: Rule 3500T—Interim Ethics Standards; Rule 3520—Auditor Independence; Rule 3521— Contingent Fees; Rule 3522—Tax Transactions; Rule 3523—Tax Services for Persons in Financial Reporting Over- sight Roles; Rule 3524—Audit Committee Pre-approval of Certain Tax Services; and Rule 3600T—Interim Independence Standards. See www.pcaobus.org/Rules/Rules of_the_Board/Section_3.pdf.

35 Supervisory Insights Winter 2006 Accounting News continued from pg. 35

performance of services for an audit comply with applicable professional stan- client, including dards and the firm’s standards of qual- ity.”10 The AICPA’s standards further set (1) which members of the audit engage- forth five broad elements of appropriate ment team are subject to the inde- quality control in a public accounting pendence rules (referred to as firm, which relate to maintaining inde- “Covered Members or Persons”); pendence, integrity, and objectivity; (2) financial relationships of Covered managing personnel; establishing guide- Members/Persons or their immedi- lines for accepting and continuing ate families; clients; performing engagements; and monitoring the existing quality control (3) financial interests in nonclients policies and procedures. having investor or investee relation- ships with clients; Audit firms that provide audit/attest services to nonpublic clients are subject (4) financial interests of audit firm part- to peer reviews performed in accordance ners and professional employees, with applicable AICPA standards, and their immediate families, and close audit firms that provide audit/attest relatives; services to public clients are subject to (5) employment relationships of the inspections performed by the PCAOB.11 audit firm’s partners, professional Peer reviews and inspections include an employees, and their immediate examination and/or review of an audit family and close relatives; and firm’s quality controls. However, for any particular audit client, the most visible (6) the performance of nonaudit serv- and apparent independence concerns ices to audit clients. would be manifested in the services (audit However, while the independence and nonaudit) provided to the client. rules and interpretations provide guid- ance and establish a framework for AICPA Independence Standards auditors to follow, they do not—nor were they meant or designed to— The AICPA’s professional standards consider all circumstances that raise require audit firms, including the firms’ independence concerns. partners and professional employees, to be independent in accordance with The AICPA, the SEC, and the PCAOB AICPA Rule 101, Independence,12 of the also require audit firms to have quality Code of Professional Conduct (Rule 101) controls for their audit practices.9 The whenever an audit firm performs an AICPA’s standards define quality control attest service for a client. Attest services as “a process to provide the firm with include financial statement audits, finan- reasonable assurance that its personnel cial statement reviews, and other attest

9 For the AICPA, refer to its Quality Control (QC) Standards, QC Section 20—System of Quality Control for a CPA Firm’s Accounting and Auditing Practice; QC Section 30—Monitoring a CPA Firm’s Accounting and Auditing Prac- tice; and QC Section 40—The Personnel Management Element of a Firm’s System of Quality Control—Competen- cies Required by a Practitioner-in-Charge of an Attest Engagement. On July 28, 2006, the AICPA’s Auditing Standards Board issued an Exposure Draft of a proposed Statement of Quality Control Standards that will replace all the existing QC Standards. For the SEC, refer to Rule 2-01(d) of Regulation S-X. For the PCAOB, refer to Rule 3400T—Interim Quality Control Standards—of its Rules and Professional Standards. 10 Refer to QC Section 20.03 of the AICPA’s QC Standards. 11 The public portions of these peer review and inspection reports are available on the AICPA’s and the PCAOB’s websites. See www.aicpa.org/centerprp/publicfile01.htm and www.pcaobus.org/Inspections/Public_Reports/index.aspx, respectively. 12 AICPA, Professional Standards, ET Section 101.01.

36 Supervisory Insights Winter 2006 services as defined in the AICPA’s State- • Corporate finance consulting or ments on Standards for Attestation advisory services, Engagements. For all financial institution • Appraisal, valuation, or actuarial audits (whether the audit is voluntary or services, required; whether or not the financial institution is subject to Part 363 of the • Executive or employee search services, FDIC regulations or Section 562.4 of the • Business risk consulting, and OTS regulations; and whether the finan- cial institution is a public or a nonpublic • Information systems design, installa- company), the financial institution’s tion, or integration. external auditor must comply with the Before an audit firm performs non- AICPA’s Independence Standards. attest services for an audit client, the Independence is not required when an AICPA’s Rule 101 requires the audit audit firm performs services that are not firm to meet certain general require- attest services, if those services—for ments. If certain nonattest services (for example, tax preparation and consulting example, internal audit assistance) are services—are the only services an audit to be performed, the audit firm must firm provides to a particular client. also satisfy service-specific require- However, Rule 101 requires an auditor to ments. In cases where the general or comply with the independence regula- service-specific requirements for non- tions of authoritative regulatory bodies attest services are not met, the audit (such as the SEC and state boards of firm’s independence would be impaired accountancy) when the auditor performs with respect to the attest services the 13 nonattest services for an attest client and audit firm provides to that audit client. is required to be independent of the The general requirements for perform- client under the regulations of the appli- ing nonattest services for audit clients cable regulatory body. The auditor’s fail- under Rule 101 include ure to comply with the nonattest services provisions contained in the independ- The audit firm should not perform management functions or make ence rules of the applicable regulatory management decisions for the audit body that are more restrictive than the client. provisions of Rule 101 would constitute a violation of Rule 101. The audit client must agree to perform the following functions in connection The AICPA’s Rule 101 imposes limits with the nonattest services: on the nature and scope of nonattest – Make all management decisions services an audit firm may provide to an and perform all management audit (attest) client. Rule 101 specifically functions; addresses the following nonattest services: – Designate an individual who • Bookkeeping services, possesses suitable knowledge and/or experience to oversee the • Payroll and other disbursement services; services, – Evaluate the adequacy and results • Internal audit assistance, of the services performed; • Benefit plan administration, – Accept responsibility for the results of the services; and • Investment advisory or management – Establish and maintain internal services, controls, including monitoring • Tax services, ongoing activities.

13 AICPA, Professional Standards, ET Section 101.05.

37 Supervisory Insights Winter 2006 Accounting News continued from pg. 37

Before performing nonattest services, and/or experience to be responsible the audit firm should establish and for the internal audit function; document the following in writing Determines the scope, risk, and with the client: frequency of internal audit activities, – Objectives of the engagement, including those to be performed by – Services to be performed, the external auditor providing internal – Client’s acceptance of its audit assistance services; responsibilities, Evaluates the findings and results aris- – Audit firms’ responsibilities, and ing from the internal audit activities; – Any limitation of the engagement. and Internal audit services, sometimes Evaluates the adequacy of the audit referred to as “internal audit outsourc- procedures performed and the find- ing,” are one of the more common ings resulting from the performance nonaudit services audit firms provide of those procedures by, among other to financial institutions. In evaluating things, obtaining reports from the whether independence would be external auditor. impaired with respect to an audit client As previously indicated, it is impossible that is not a public company and is not to enumerate all circumstances in which subject to Part 363 of the FDIC regula- the appearance of independence might tions or Section 562.4 of the OTS regu- be questioned. In the absence of an lations, the nature of the internal audit independence interpretation or ruling services to be provided to the client under the AICPA’s rules that addresses a needs to be considered.14 Assisting the particular circumstance, a member client in performing financial and opera- (auditor) should consider whether that tional internal audit activities would circumstance would lead a reasonable impair independence unless the external person aware of all of the relevant facts auditor takes appropriate steps to ensure to conclude there is an unacceptable that the client understands its responsi- threat to the member’s and the firm’s bilities for establishing and maintaining independence. The AICPA’s Conceptual the internal control system and directing Framework provides a risk-based the internal audit function, including the approach for making that evaluation. management thereof. Accordingly, any The risk-based approach involves three outsourcing of the internal audit func- steps: (1) the auditor should identify tion to the external auditor whereby the and evaluate threats to independence; external auditor in effect manages the (2) the auditor should determine internal audit activities of the client whether safeguards already eliminate or would impair independence. sufficiently mitigate identified threats In addition to the general requirements and whether threats that have not yet of Rule 101 for performing nonattest been mitigated can be eliminated or services for an audit client, the external sufficiently mitigated by safeguards; and auditor should ensure that client (3) if no safeguards are available to elim- management inate an unacceptable threat or reduce it to an acceptable level, the auditor Designates an individual or individuals should conclude that independence who possess suitable skill, knowledge, would be considered impaired.15

14 For audit clients that are public companies or that are subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations, internal audit outsourcing to the external auditor is generally impermissible under the SEC’s independence rules. 15 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 5.

38 Supervisory Insights Winter 2006 Many different circumstances (or ing with the SEC’s independence rules, combinations of circumstances) can the SEC’s Office of the Chief Accoun- create threats to an auditor’s independ- tant has also issued and periodically ence. It is impossible to identify every updates a document titled Application situation that threatens independence. of the Commission’s Rules on Auditor However, seven broad categories of Independence—Frequently Asked threats should always be evaluated Questions. when threats to independence are Unlike the AICPA’s independence rules, being identified and assessed. They are the SEC’s independence rules provide (1) self review (auditors reviewing the that an accountant is not independent if, results of their own nonattest work); at any point during the audit and profes- (2) advocacy (actions by the auditor to sional engagement period,18 the account- promote the client’s interests or posi- ant provides any of the following tion); (3) adverse interest (actions or nonaudit services to an audit client: interests between the auditor and the client that are in opposition); (4) famil- • Bookkeeping or other services related iarity (auditors having a close or long- to the accounting records or financial standing relationship with an attest statements of the audit client; client); (5) undue influence (attempts • Financial information systems design by the client’s management to coerce and implementation; or exercise excessive influence over the auditor); (6) financial self-interest • Appraisal or valuation services, fair- (potential benefit to the auditor from a ness opinions, or contribution-in-kind financial interest in, or from some reports; other financial relationship with the • Actuarial services; client); and (7) management participa- tion (the auditor taking the role of • Internal audit outsourcing services; client management or performing • Management functions; management functions on behalf of the client).16 • Human resources services; • Broker-dealer, investment adviser, or SEC Independence Standards investment banking services; The SEC’s independence rules are • Legal services; or set forth in Rule 2-01 of Regulation S-X (Rule 2-01).17 Rule 2-01 was amended • Expert services unrelated to the audit. in January 2003 by Release No. 33- The SEC’s rules state that bookkeep- 8183, Strengthening the Commission’s ing, financial information systems Requirements Regarding Auditor Inde- design and implementation, appraisal or pendence, to fulfill the mandate of valuation services, actuarial services, Title II of the Sarbanes-Oxley Act of and internal audit outsourcing services 2002. To assist practitioners in comply-

16 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraphs 12 to 19. 17 See 17 CFR 210.2-01. 18 Under Rule 2-01(f)(5), the audit and professional engagement period includes both: (1) the period covered by any financial statements being audited or reviewed (the “audit period”); and (2) the period of the engagement to audit or review the audit client’s financial statements to prepare a report filed with the SEC (the “professional engagement period”). The professional engagement period begins when the accountant either signs an initial engagement letter (or other agreement to review or audit a client’s financial statements) or begins audit, review, or attest procedures, whichever is earlier; and the professional engagement period ends when the audit client or the accountant notifies the SEC that the client is no longer that accountant’s audit client.

39 Supervisory Insights Winter 2006 Accounting News continued from pg. 39 are prohibited “unless it is reasonable PCAOB Independence Standards to conclude that the results of these Title I of the Sarbanes-Oxley Act of services will not be subject to audit 2002 established the PCAOB and procedures during an audit of the audit charged it with the responsibility of client’s financial statements.”19 This overseeing the audits of public compa- limited exception to the general prohibi- nies that are subject to the U.S. Federal tion regarding nonaudit services is quite securities laws. Only accounting firms narrow in the SEC’s view, establishing that register with the PCAOB (registered a rebuttable presumption that these public accounting firms) may audit services are subject to audit procedures. public companies. The PCAOB’s duties In other words, the SEC presumes that, include the establishment of auditing, when an accountant audits an audit quality control, ethics, independence, client’s financial statements, the accoun- and other standards relating to public tant will end up auditing the work he or company audits. she performed when rendering the aforementioned nonaudit services for The PCAOB adopted all of the inde- the audit client. pendence standards described in the AICPA’s Code of Professional Conduct Like the AICPA’s independence rules, Rule 101, and the interpretations and the SEC’s independence rules do not rulings thereunder, as in existence on purport to consider all circumstances April 16, 2003, as the PCAOB’s Interim that raise independence concerns. In Independence Standards. These Interim this regard, the SEC considers whether a Independence Standards also include relationship or the provision of a service Standards Nos. 1, 2, and 3 and Interpre- (a) creates a mutual or conflicting inter- tations 99-1, 00-1, and 00-2 of the former est between the accountant and the audit Independence Standards Board. Gener- client (b) places the accountant in a ally, this means that the PCAOB applies position of auditing his or her own work the independence standards/principles (c) results in the accountant acting as discussed under the “AICPA Indepen- management or an employee of the audit dence Standards” section of this article client or (d) places the accountant in a to registered public accounting firms. position of being an advocate for the audit client. The PCAOB’s Interim Independence Standards do not supersede the SEC’s The SEC will not recognize an account- auditor independence rules. Therefore, ant as independent, with respect to an to the extent that a provision of the audit client, if the accountant is not, or a SEC’s rules is more or less restrictive reasonable investor with knowledge of all than a provision of the PCAOB’s Interim relevant facts and circumstances would Independence Standards, a registered conclude that the accountant is not, public accounting firm must comply with capable of exercising objective and impar- the more restrictive rule. tial judgment on all issues encompassed within the accountant’s engagement. In The PCAOB’s interim standards will determining whether an accountant is remain in effect until modified or super- independent, the SEC will consider all seded, either by PCAOB action approved relevant circumstances, including rela- by the SEC, or by SEC action pursuant tionships between the accountant and the to its independent authority under the audit client, and not just those relating to Federal securities laws to establish inde- reports filed with the SEC. pendence standards for auditors of public companies.

19 See Rule 2-01(c)(4)(i) through (v) of SEC Regulation S-X (17 CFR 210-01).

40 Supervisory Insights Winter 2006 Letters.20 The Interagency Advisory Recent Developments in applies to audit engagement letters Auditor Independence executed on or after February 9, 2006, and provides that the inclusion of indem- Recent AICPA Developments nification and limitation of liability provi- sions in external audit engagement On September 8, 2006, the AICPA’s letters will generally be considered an Professional Ethics Executive Committee unsafe and unsound practice. Appen- (PEEC) re-exposed its Proposed Interpre- dix A of the Interagency Advisory con- tation 101-16 under Rule 101: Indemnifi- tains examples of unsafe and unsound cation, Limitation of Liability, and ADR limitation of liability provisions. Clauses in Engagement Letters. The comment period for the revised Exposure While the Interagency Advisory Draft (ED) ended on December 8, 2006. addresses indemnification and limitation The AICPA’s initial ED on this subject was of liability from a safety and soundness issued on September 15, 2005. perspective, rather than from an auditor independence perspective, it is fairly The revised ED is significantly differ- consistent with the PEEC’s September ent from the September 2005 ED. The 2005 ED. However, the PEEC’s Septem- revised ED has an underlying principle ber 2006 revised ED is generally incon- that would permit external auditors to sistent with its September 2005 ED and include indemnification and limitation the Interagency Advisory. of liability provisions in audit engage- ment letters if such provisions are contingent upon the related services Recent PCAOB Developments being performed in compliance with On April 19, 2006, the SEC approved professional standards, in all material the PCAOB’s proposed ethics and inde- respects. However, the revised ED would pendence rules concerning independ- also permit certain indemnification and ence, tax services, and contingent fees. limitation of liability provisions to be These rules have varying effective dates, included in audit engagement letters most of which are in 2006. and not be subject to the underlying principle. For example, under the Besides establishing general rules revised ED, the audit client could waive with respect to ethics and independ- the right to seek punitive damages and ence, these new PCAOB rules restrict indemnify the auditor for third-party certain types of tax services a regis- punitive damage awards, the time tered public accounting firm may period for the client to file a claim for provide to an audit client and certain damages could be limited, and the members of the client’s management, client’s right to assign or transfer a and prohibit contingent fee arrange- claim could be limited. ments for any services a registered public accounting firm provides to an On February 3, 2006, the Federal bank- audit client, in order for the firm to ing agencies, together with the National maintain its independence with respect Credit Union Administration, issued an to that client. Nonpublic financial insti- Interagency Advisory on the Unsafe and tutions subject to Part 363 of the FDIC Unsound Use of Limitation of Liability regulations or Section 562.4 of the Provisions in External Audit Engagement OTS regulations and their auditors

20 FIL-13-2006, External Audit Engagement Letters: Unsafe and Unsound Use of Limitation of Liability Provisions, February 9, 2006, www.fdic.gov/news/news/financial/2006/fil06013.html. Also see the February 3, 2006, Joint Press Release, www.fdic.gov/news/news/press/2006/pr06011.html and the Federal Register, Volume 71, Page 6847, www.fdic.gov/regulations/laws/federal/2006/06notice29.pdf.

41 Supervisory Insights Winter 2006 Accounting News continued from pg. 41

should note that these new independ- Accordingly, as noted in the February ence rules from the PCAOB apply to 2006 Interagency Advisory and the institutions’ external auditors. 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations, examiners Examiner Considerations should consider an institution’s policies Auditor independence is the corner- and processes surrounding its external stone for CPAs and audit firms that auditing program, including those for provide audit/attestation services to determining whether the auditor main- financial institutions. Sometimes tains appropriate independence in its concerns regarding an auditor’s inde- relationship with the institution under pendence with respect to a specific audit applicable professional standards, when client are “black and white” and a deci- they evaluate the institution’s program. sion as to whether the auditor’s inde- Examiners should also review external pendence is impaired can be reached audit engagement letters to determine rather easily. However, many times, the whether they include any limitation of resolution of concerns regarding auditor liability provisions of the types that are independence requires a thorough and deemed unsafe and unsound by the complete analysis of all of the relevant Interagency Advisory. facts and circumstances before a conclu- sion can be made. In the end, ensuring Harrison E. Greene, Jr. auditor independence is a responsibility CPA, CBA, Accounting and of both the auditor and the client finan- Securities Disclosure Section cial institution. Washington, DC

42 Supervisory Insights Winter 2006