(The news featured below is a selection from the news covered in the Federal Securities Report Letter, which is distributed to subscribers of the Federal Securities Law Reports.)

Glassman Addresses Internal Control Issues, Approval of Non-Audit Services

The design and implementation of internal controls as required by the Sarbanes-Oxley Act is management's responsibility and cannot significantly involve the outside auditor, declared SEC Commissioner Cynthia Glassman in remarks at the Exchequer Club. Section 404 of the Sarbanes-Oxley Act and SEC rules require management to report on the effectiveness of the company's internal controls over financial reporting. In addition, the company's external auditor must attest to the appropriateness of management's report.

The commissioner cautioned that outside auditors risk losing their independence if they become too deeply involved in the design, implementation and documentation of internal controls. While they can generally assist management, the auditors must remain independent throughout the attestation process, which means they cannot usurp management's responsibilities or review their own work. For example, the commissioner said it would not be appropriate for an auditor to condition the attestation on the use of a proprietary software package or other services it offers.

On a related issue involving audit committee oversight of non-audit services, Commissioner Glassman emphasized that the SEC's auditor independence rules do not give a "green light" to all non-audit services that are not specifically prohibited by the Sarbanes-Oxley Act and SEC rules. While prohibiting a list of non-audit services, the act authorizes the audit committee to approve non-audit services not on the prohibited list.

She stated that the rules make clear that, while it is not a per se violation for the auditor to provide some non-audit services, there are situations in which those services can still impair an auditor's independence. Thus, the rules require that the audit committee carefully scrutinize each proposed non-audit service and make an informed judgment about the impact it might have on the auditor's independence. In the commissioner's view, a process allowing pre-approval of a "basket "of non-audit services would be contrary to the Sarbanes-Oxley Act requirement that the audit committee pre-approve each service.

Essentially, the SEC's auditor independence rules struck a balance. In the interest of allowing audit committees to make their own judgment on whether certain non-audit services were in the best interest of the company, explained the commissioner, the SEC did not impose a "red light" on all non-audit services. The intent of the rules, however, was "at most a cautious yellow light" and certainly not a green light. Auditors should not approach this issue as business as usual, she cautioned, and audit committees should bring "a healthy skepticism "to the process of approving non-audit services.