May 1, 2006

Ms. Nancy M. Morris
Secretary
Securities and Exchange Commission
100 F Street N.E.
Washington, D.C. 20549-1090

Re: Second-year Experiences with the Implementation of Internal Control Reporting
and Auditing Provisions of Section 404 of the Sarbanes-Oxley Act of 2002
File Number 4-511

Dear Ms. Morris:

America’s Community Bankers (“ACB”) is pleased to submit comments on second-year experiences with the implementation of internal control reporting and auditing provisions of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”). These comments are being submitted in connection with the Securities and Exchange Commission (“SEC”) and Public Company Accounting Oversight Board (“PCAOB”) roundtable to be held on May 10, 2006. We applaud the efforts of the SEC and PCAOB to monitor the experiences of registrants and auditors as they implement Section 404 of Sarbanes-Oxley. ACB has previously commented on these issues as community banks have unique issues with respect to Section 404. We once again would like to reiterate our comments to the SEC and PCAOB as well as comment on issues relating to the second year of implementation of Section 404.

ACB Position

Community banks are extensively regulated by government bank regulatory agencies. ACB, therefore, strongly believes that community banks with assets below $1 billion should be exempt from Section 404 of Sarbanes-Oxley. For institutions above the $1 billion threshold, we urge the SEC, in conjunction with the PCAOB, to ease the burden and costs of Section 404 compliance by amending Auditing Standard No. 2 (“AS2”). We specifically recommend that the SEC and PCAOB eliminate the auditor’s opinion on the effectiveness of internal controls and add flexibility to the existing standards as to requirements governing internal controls, documentation and testing.

Community Bank Regulation Under FDICIA

Community banks are part of a highly regulated industry and for this reason they are distinguishable from other publicly held companies. Banks are required by law and regulation to operate more conservatively than other companies in unregulated industries. Banks are subject to routine safety and soundness examinations often by more than one government regulator. Section 36 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA)2 requires banks to have audited financial statements, an annual management report on internal controls, and an attestation of management’s assessment on internal controls by the external auditor. In fact, the language of Section 404 was modeled on the language of FDICIA. The Federal Deposit Insurance Corporation, recognizing the burden of internal control reporting and external auditor attestation requirements placed on smaller banks, by regulation, exempted banks under $1 billion in total assets from such requirements.3 ACB on several occasions has asked the SEC and PCAOB to take actions consistent with the banking agencies and exempt community banks with less than $1 billion in assets from the requirements of Section 404.4

Costs of Compliance

Community banks that are accelerated filers have reported that their costs for the second year of implementation of Section 404 have gone down. The reduction in costs was primarily the result of the elimination of outside consultants and software costs that were a one-time expenditure. Community banks, however, continue to report that the annual recurring costs of complying with Section 404 are excessive, as overall audit costs have increased for banks since the implementation of 404 with very little or no perceived benefits in financial reporting or the safeguarding of assets. These additional audit costs are considered unnecessary for banks subject to FDICIA, as external auditors were already performing similar attestation functions under FDICIA. In addition to these quantitative costs, our member’s report that the additional costs of management and employee time and the diversion of attention from running and improving their businesses must also be considered.

Auditing Standard No. 2

In addition to complying with the reporting requirements of FDICIA, banks after the passage of Sarbanes-Oxley also must comply with similar and duplicative reporting requirements under Section 404. This duplication of reporting has resulted in unnecessary and excessive costs for banking institutions. Our members report that although compliance with the FDICIA reporting requirements has helped large institutions prepare for Section 404, the more burdensome requirements imposed by PCAOB AS2 are unnecessary.

According to community banks, much of the burden and costs of the second year of implementation continue to result from the requirements and application of AS2 issued by the PCAOB. This is true even after the issuance of the May 2005 guidance. As we have stated in previous comment letters, the application of AS2 continues to prove problematic and expensive for our members. External auditors are fearful of improperly implementing AS2 and thereby being subject to criticism or sanction by the PCAOB. Although the PCAOB guidance was helpful, our members report that external auditors continue to approach audits in a very stringent and ultraconservative manner by requiring an extensive level of detailed testing with its accompanying documentation of the procedures and findings. Their focus is on details and their ability to demonstrate compliance with the PCAOB’s standards themselves rather than on our member’s significant issues or areas of risk.

The literal language of Section 404 does not require an independent audit opinion. The statute specifically requires that management assess the effectiveness of internal controls and that a registered public accounting firm attest to and report on the assessment made by management. The PCAOB adopted an expanded interpretation of the statutory provisions by issuing AS2 that in turn requires a detailed integrated audit of internal controls and financial statements and that further requires the external auditor to opine on the effectiveness of the internal controls. Conducting a thorough and detailed review of how management reaches its conclusion about internal controls is useful. Requiring an independent auditor to attest to and report on the internal controls over financial reporting is duplicative work as the bank’s internal audit function and senior management now perform the same work. ACB believes that elimination of the requirement for a separate audit of internal controls by the external auditor would lesson the burdens and costs of Section 404.

Documentation

Community banks that are accelerated filers report that during the second year of implementation, the level of documentation being required for the purposes of the independent audit continues to be unnecessarily intensive and time consuming. As regulated entities, community banks of all sizes are required to have effective internal controls in place. These controls already require a substantial amount of documentation for all bank processes. However, under section 404 the depth and breadth of the documentation being required by external auditors and the number of controls being judged to need further documentation is much greater than what was required in the past. For the second year of implementation, documenting changes to existing activities and business processes continues to be extremely time consuming. AS2 could be amended to require documentation only for changes in material controls or controls in areas that pose significant risks to the bank. In addition, our members have reported difficulties with external auditors in evaluating risk and agreeing on risk assessments.

Testing Requirements

Testing requirements imposed by external audit firms during the auditing process continues to be an area of concern in the second year of implementation. Community banks report that external auditors continue to test every control annually. The testing of controls of community banks is redundant. Internal controls are tested as a result of FDICIA requirements for banks over $1 billion in assets. Controls are tested internally by bank staff and internal auditors and then again by external auditors. Bank examiners also test internal controls. ACB members in the second year of implementation continued to observe little or no reliance by the external auditor on internal testing. ACB recommends that the PCAOB allow external auditors to rely on testing by internal audit staff and management. In addition, guidance should also allow auditors to rotate testing based upon significance so not every control would need annual testing.

PCAOB and the Auditor

AS2 requires an auditor to perform sufficient auditing to form his or her own opinion as to the effectiveness of a company’s internal controls. External auditors are reluctant to exercise discretion and limit the scope of their review for fear of criticism or sanction by the PCAOB. Community banks report that the PCAOB’s review process of the registered public accounting firms is exerting undue perceived pressure on the public accounting firms to overstate the internal controls area. As a result, external auditors have less flexibility in planning, performing and documenting their audits. External auditors in an effort to avoid potential PCAOB comments on review have increased their level of detail in testing and documenting their procedures and findings. External auditors are tending not to use professional judgment and discretion on various control issues but rather are focusing on the level of documentation that they perceive will satisfy the PCAOB. This does not improve the quality of financial reporting. One way to rectify this situation would be to amend AS2 to be more flexible and to allow external auditors to exercise judgment and discretion.

Conclusion

ACB appreciates the opportunity to comment on our members’ experiences with the second year implementation of Section 404 of Sarbanes-Oxley. We are available to assist the SEC and PCAOB to better understand the regulation of banks by government agencies and the reporting requirements under banking law. If you have any question please contact the undersigned at (202) 857-3186 or via e-mail at [email protected].

Sincerely,

Sharon H. Lachman
Regulatory Counsel
Regulatory Affairs