(The news
featured below is a selection from the news covered in the Federal Securities
Report Letter, which is distributed to subscribers of the Federal
Securities Law Reports.)
Glassman Addresses Internal
Control Issues, Approval of Non-Audit Services
The design and implementation of
internal controls as required by the Sarbanes-Oxley Act is management's
responsibility and cannot significantly involve the outside auditor, declared
SEC Commissioner Cynthia Glassman in remarks at the Exchequer Club. Section 404
of the Sarbanes-Oxley Act and SEC rules require management to report on the
effectiveness of the company's internal controls over financial reporting. In
addition, the company's external auditor must attest to the appropriateness of
management's report.
The commissioner cautioned that
outside auditors risk losing their independence if they become too deeply
involved in the design, implementation and documentation of internal controls.
While they can generally assist management, the auditors must remain independent
throughout the attestation process, which means they cannot usurp management's
responsibilities or review their own work. For example, the commissioner said it
would not be appropriate for an auditor to condition the attestation on the use
of a proprietary software package or other services it offers.
On a related issue involving audit
committee oversight of non-audit services, Commissioner Glassman emphasized that
the SEC's auditor independence rules do not give a "green light" to
all non-audit services that are not specifically prohibited by the
Sarbanes-Oxley Act and SEC rules. While prohibiting a list of non-audit
services, the act authorizes the audit committee to approve non-audit services
not on the prohibited list.
She stated that the rules make
clear that, while it is not a per se violation for the auditor to provide
some non-audit services, there are situations in which those services can still
impair an auditor's independence. Thus, the rules require that the audit
committee carefully scrutinize each proposed non-audit service and make an
informed judgment about the impact it might have on the auditor's independence.
In the commissioner's view, a process allowing pre-approval of a "basket
"of non-audit services would be contrary to the Sarbanes-Oxley Act
requirement that the audit committee pre-approve each service.
Essentially, the SEC's auditor
independence rules struck a balance. In the interest of allowing audit
committees to make their own judgment on whether certain non-audit services were
in the best interest of the company, explained the commissioner, the SEC did not
impose a "red light" on all non-audit services. The intent of the
rules, however, was "at most a cautious yellow light" and certainly
not a green light. Auditors should not approach this issue as business as usual,
she cautioned, and audit committees should bring "a healthy skepticism
"to the process of approving non-audit services.
|