Use of Auditor's Risk Assessment Tools Under IC Rules

THE QUESTION

Can a registrant use compliance and/or risk-assessment tools provided by its audit firm to document and assess internal controls? And if so, under what circumstances (i.e., if part of audit or attestation agreement; if done with management, etc.)?

THE RESPONSE

Registrants are breathing sighs of relief that they will have more time than expected to comply with new rules regarding "internal control over financial reporting" that Section 404 of Sarbanes-Oxley requires. However, they still recognize that they face a daunting challenge for which the deadline will inevitably arrive.

It is logical for a registrant to turn to its auditor for help to meet the new Section 404 challenge for three reasons:

the auditor is an expert in this confusing context;

the auditor knows the registrant and its processes; and

the auditor will ultimately need to attest to management's assessment of the registrant's internal controls, so it seemingly makes sense to have auditor input while documenting and assessing internal controls to ensure that the auditor can give a clean bill of health when the time comes.

But, due to restrictions intended to ensure auditor independence (another significant objective of Sarbanes-Oxley), the big questions are whether and to what extent the auditor can assist without jeopardizing its independence.

Quick Background

The SEC recognizes the issues, and in releases relating to the auditor independence rules and the Section 404 rules, the SEC conceded that the auditor can provide some assistance. In the release relating to final independence rules, the SEC touched on the issue several times, including with the following:

"[W]e believe that designing and implementing internal accounting and risk management controls is fundamentally different from obtaining an understanding of the controls and testing the operation of the controls which is an integral part of any audit of the financial statements of a company. Likewise, design and implementation of these controls involves decision-making and, therefore, is different from recommending improvements in the internal accounting and risk management controls of an audit client (which is permissible, if pre-approved by the audit committee)."

"[W]e believe that designing and implementing internal accounting and risk management controls impairs the accountant's independence because it places the accountant in the role of management. Conversely, obtaining an understanding of, assessing effectiveness of, and recommending improvements to the internal accounting and risk management controls is fundamental to the audit process and does not impair the accountant's independence."

Also, in last Friday's release relating to final Section 404 rules, the SEC said:

"[M]anagement and the company's independent auditors will need to coordinate their processes of documenting and testing the internal controls over financial reporting. . . . [A]uditors may assist management in documenting internal controls. When the auditor is engaged to assist management in documenting internal controls, management must be actively involved in the process. We understand the need for coordination between management and the auditor ..."

Considering The Principles

But, the SEC statements give little concrete guidance other than at the extremes and say nothing about whether a registrant can use compliance and/or risk-assessment tools its audit firm provides to document and assess internal controls. Accordingly, registrants must consider what the SEC has said and the general principles underlying the SEC's independence analysis that prohibit an auditor from:

functioning in the role of management;

auditing its own work; and

serving in an advocacy role.

Arguments "Against"

There are some arguments that a registrant cannot use these compliance and/or risk-assessment tools.

First, in this complex area, it may be impossible to use the tools without essentially relying on them so much that they become the basis for documenting, implementing and assessing the registrant's internal controls. For example, under the Section 404 rules, management will need to evaluate the effectiveness of its internal controls based on the COSO framework (or another recognized control framework). The auditor undoubtedly relied on the COSO framework when it created its tools. If the auditor's tools are the only resource a registrant uses to meet the framework requirement, then when the auditor attests to management's assessment of the effectiveness of its internal controls based on the framework, the auditor is arguably auditing its own work because its tools provided the framework.

A second argument is more simple: Because it is not clear that this is something a registrant can do, other resources are available to the registrant at the same or slightly higher cost and the potential downside to the registrant is significant, so why risk using the auditor's tools?

More Compelling Arguments "For"

But, there are more compelling arguments that management may use these tools so long as neither the tools nor other actions of the auditor in this context put the auditor in a decision-making role relating to design, evaluation or implementation of controls or testing of controls for management.

First, simply using the auditors' tools essentially only helps management document and assess existing controls and identify issues that management must address in designing or implementing controls. Because the tools themselves do not design or implement controls, the tools do not "cross the line" by including functions the auditor cannot perform.

Second, the tools seem to fall well within the types of activities that the SEC has said are acceptable, such as "evaluating the internal controls of a system as it is being designed, implemented or operated," "assist[ing] management in documenting internal controls" and providing "services in connection with the assessment of internal accounting and risk management controls, as well as providing recommendations for improvements."

Before Acting ...

Assuming using these tools is acceptable, management should get audit committee pre-approval before proceeding.

In addition, the registrant will need to disclose fees that it pays for this assistance in its proxy statement. One question will be whether these fees are "audit-related fees" or "all other fees." Because the services are not for "internal control reviews" (part of the SEC's specific litany for "audit-related fees" in the independence rules release) and arguably are not otherwise assurance or related services that an auditor traditionally performs because they go beyond work that the auditor must do to support its assessment of management's evaluation, the better view probably is that a registrant must disclose the fees as "all other fees."

This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.