September 15, 2006


Ms. Nancy M. Morris
Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090

Re: Concept Release Concerning Management’s Reports on
       Internal Control Over Financial Reporting
       71 FR 40866 (July 18, 2006); File Number S7-11-06

Dear Ms. Morris:

America’s Community Bankers (“ACB”)1 appreciates the opportunity to comment on the Concept Release issued by the Securities and Exchange Commission (“Commission”) concerning management’s reports on internal control over financial reporting required by Section 404 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”). Public comments received on the Concept Release are to become the basis for Commission guidance for management to implement Section 404. We applaud the efforts of the Commission to develop guidance for management, which is an important issue to our member community banks.

ACB Position

ACB supports the Commission’s efforts to issue guidance for management to assist publicly traded companies of all sizes to implement Section 4042 of Sarbanes-Oxley. ACB, however, has consistently maintained that banks with assets of less than $1 billion should be exempted from the provisions of Section 404 because of the provisions of the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”)3 that govern internal control reporting for banks. In developing guidance for management, we urge the Commission to deem bank compliance with Section 36 of FDICIA as sufficient for compliance with Section 404 of Sarbanes-Oxley for banks of all sizes. We also believe that Commission guidance for management should be flexible and remain as guidance and not become enforceable as a “rule” as suggested on page 5 of the Concept Release.

Highly Regulated Industry

Community banks are part of an industry governed by a multitude of statutes and regulations covering almost every aspect of banking activity. One of these statutes is FDICIA. Section 36 of FDICIA requires banks to have audited financial statements, annual management reports on internal controls, and an external auditor’s attestation of management’s assessment on internal controls. The Federal Deposit Insurance Corporation (“FDIC”) regulations implementing Section 364 established a tiered system of compliance for banks: small banks of less than $500 million are exempt from internal control requirements, and banks of less than $1 billion are exempt from management assessments and auditor attestations. These smaller banks nevertheless are required to have an adequate internal control structure in place.

ACB is pleased that in the Concept Release the Commission specifically recognizes the significance of Section 36 of FDICIA as it relates to banks, and that the statutory language of Section 36 is substantially similar to the language of Section 404. As we have advised in previous comment letters, the Section 404 provisions of Sarbanes-Oxley were modeled on the Section 36 provisions governing banks. However, the Concept Release does not go far enough to determine that compliance with Section 36 should negate banks having to also comply with Section 404.

Banks have complied with internal controls over financial reporting for many years under FDICIA. The federal bank regulatory agencies (“Bank Regulators”) have been examining and supervising management’s assessments of internal controls since FDICIA was implemented. Bank Regulators know the business of banking and are fully capable of evaluating a bank’s internal controls. Furthermore, Bank Regulators are experts in identifying risks that may have a potential material impact on the financial reports of a bank. Guidance on internal control assessment and reporting is published in examination manuals and audit handbooks of the Bank Regulators and of the Federal Financial Institution Examination Council. For these reasons, the Commission should accept the FDICIA standards for all levels of bank compliance with Section 404.

The Commission also asks in the Concept Release if it should provide management with guidance on fraud controls. The Bank Regulators through their supervisory and examination programs promote sound internal control structures that help banks detect and prevent fraud. Bank Regulators learn of insider fraud during an examination, and they work diligently to investigate and, if necessary, bring enforcement actions. The FDIC, on June 30, 2006, published in its Supervisory Insights a report detailing the enforcement actions brought against bank management engaged in fraudulent activities.5 These fraudulent activities often involved the failure of internal controls. This report demonstrates that the FDIC actively pursues fraud in financial institutions and with a full range of enforcement tools. We therefore urge the Commission to defer to the Bank Regulators in developing any guidance for bank management to implement Section 404.

Excessive Documentation

Although banks have been subject to internal control reporting under FDICIA, our members have found that much of the difficulty with implementing Section 404 is the result of the external auditors conservatively and inconsistently applying the PCAOB’s Accounting Standard No. 2 (“AS2”). ACB is pleased that the Commission’s Concept Release recognized our members’ concerns that the documentation required by the PCAOB and AS2 to implement Section 404 is excessive and burdensome. The Concept Release correctly reiterates ACB’s position that auditors applying AS2 identify numerous and often insignificant controls leading to excessive documentation. The Concept Release states that documentation “substantially exceeded” that which financial institutions produce under FDICIA even though the statutory language of FDICIA and Section 404 of Sarbanes-Oxley is “substantially similar.” This duplication of documentation resulting from bank compliance with FDICIA and Section 404 is particularly burdensome for community banks that may not have access to the resources, personnel, time and funds, as larger publicly traded banks. We ask that the Commission accept the level of documentation that the Bank Regulators have established for bank compliance with Section 36 of FDICIA.

In addition, our members continue to express concerns with the documentation required by AS2 and applied by external auditors for compliance with Section 404, without considering the size of the institution. External auditors continue to require community banks to provide the same type and amount of documentation to support internal controls as they require of the large banks. We recommend that the Commission in guidance identify the type or level of transactions that should be the focus of internal control reporting.

Not every transaction need be documented to support management’s conclusions on internal controls. ACB members report that external auditors relying on AS2 require transactions, both minor and significant, to be documented with process narratives or flows and diagrams from the beginning to the end of the transaction. The narratives must identify each step in the process, and the bank must show that they have tested each of the steps. The external auditors then retest the steps, whether or not they are critical to the internal controls. The Commission needs to provide guidance for management and auditors applying AS2 as to what types of transactions must be documented and to what extent. We suggest that documentation be limited to that which is “sufficient to support” management’s conclusions. We also suggest that the Commission follow the documentation requirements of the Bank Regulators under FDICIA.
Finally, ACB recommends that Commission’s guidance scale the documentation requirements to fit the size of the company, as have the Bank Regulators in adopting the tiered system under FDICIA. One size fits all has been demonstrated to be unworkable. Smaller community banks should not be held to the same documentation requirements as much larger banks. For community banks, the Commission could significantly improve the implementation process by accepting the documentation and level of testing required by FDICIA.

Guidance Generally

We believe that any management guidance issued by the Commission for banks should first follow the Bank Regulators’ treatment of internal control reporting and then follow the recommendations made by the Commission’s Advisory Committee on Smaller Public Companies (“Advisory Committee”). Guidance should be scaled to address the manner in which smaller companies operate, their size, structure, and complexity. As the Advisory Committee recognized, smaller public companies operate much differently from larger public companies. They face different challenges in establishing and evaluating internal controls.

Internal controls can vary significantly between industries. Certainly the banking industry is unique, and standards already exist for the banking industry based on FDICIA. Therefore, while it may not be possible for the Commission to make its guidance industry specific in all cases, the banking industry already has models for internal control assessments.

Finally, we strongly recommend that the Commission provide flexibility for management in meeting internal control reporting requirements and not adopt guidance with the full force and effect of a “rule.” We hope that the Commission can avoid the same difficulties that have arisen out of the auditors’ application, with little or no flexibility, of AS2. We also believe that banks that have implemented Section 404 should not be mandated by a “rule” to significantly revise or reverse their processes and procedures for internal control reporting under Section 404. These institutions should also have the flexibility of guidance to make revisions to their processes as they deem necessary to comply with Section 404 of Sarbanes-Oxley.

Conclusion

We appreciate this opportunity to comment on the Commission’s Concept Release. If you have any questions, please contact Patricia A. Milon at 202 857-3121 or [email protected] or the undersigned at 202 857-3186 or [email protected].

Sincerely,

Sharon A. Haeger
Regulatory Counsel

1America’s Community Bankers is the national trade association committed to shaping the future of banking by being the innovative industry leader strengthening the competitive position of community banks. To learn more about ACB, visit www.AmericasCommunityBankers.com

2See letter from ACB Regulatory Counsel, Sharon Lachman, to Nancy M. Morris, Secretary, the Securities and Exchange Commission, dated May 1, 2006; letter from ACB Regulatory Counsel, Sharon Lachman, to the Advisory Committee on Smaller Public Companies (“Advisory Companies”), dated April 3, 2006; and letter from ACB Senior Vice President Regulatory Affairs, Charlotte M. Bahin, to the Advisory Committee dated August 9, 2005. The foregoing letters are available at www.AmericasCommunityBankers.com.

312 U.S.C. § 1831m.
412 C.F.R. Part 363.
5See FDIC “Supervisory Report,” Summer 2006, Vol. 3, Issue 1. http://www.fdic.gov/regulations/examinations/supervisory/insights/index.html
 

About ACB | Government Relations | Products & Services | Affiliates | Members Area
| ACB News Bank | In The Community | Tools & Resources | Contact Us |

America’s Community Bankers
900 Nineteenth Street, NW, Suite 400,Washington, D.C. 20006
phone 202-857-3100 | fax 202-296-8716 | Contact Us
Copyright 1996-2006 © America’s Community Bankers. All Rights Reserved.

Important Legal Notice  |  Privacy Statement.

America’s Community Bankers is the national trade association committed to shaping the future of banking by being the innovative industry leader strengthening the competitive position of community banks.