| May 18, 2006 Sharon Macey Re: Exposure Draft – Proposed Statement on Standards for Attestation
Engagements Dear Ms. Macey: America’s Community Bankers (“ACB”)1 is pleased to comment on the Exposure Draft (“ED”) issued by the American Institute of Certified Public Accountants’ (“AICPA”) Auditing Standards Board (“ASB”) containing a proposed statement on standards for attestation engagements (“SSAE”). The ED provides guidance to an audit practitioner for evaluating management’s basis in making an assertion about an entity’s internal control over financial reporting as well as reporting expectations for managers of privately held companies regarding internal control over financial reporting. The ED states that the proposal would be applicable to and appropriate for examination of the internal controls of non-publicly traded corporations and useful to regulated entities such as financial institutions, insurance companies, and governmental entities. ACB Position ACB appreciates the efforts of the ASB in striving to develop a more appropriate SSAE for private companies. We understand that this proposal is modeled after the Public Company Accounting Oversight Board’s (“PCAOB”) Auditing Standard No. 2 and that the proposal has been revised to reflect much of the requirements stated therein. However, this proposal does not adequately compensate for the lack of complexity inherent in privately held companies as compared to public institutions. This SSAE too closely mirrors the PCAOB’s public company standard and should instead be tailored to more closely reflect requirements necessary for less complex, privately held companies. Specifically, ACB has strong concerns about several aspects of the proposal as well as its application to community banks.
Background The provisions of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) were designed to protect the interests of investors and further the public interest in the preparation of financial statements and informative, fair, and independent audit reports. Sarbanes-Oxley included the creation of the PCAOB which was charged with overseeing and regulating public company audit reports. The PCAOB formally established professional guidelines by issuing their Auditing Standard No. 2, which governs the independent auditor’s attestation of and reporting on management’s assessment of the effectiveness of internal controls over financial reporting. Following the enactment of Sarbanes-Oxley, which imposed significant additional burdens and requirements on public financial institutions of all sizes, and subsequently, the PCAOB’s Auditing Standard No. 2, a number of questions and concerns have arisen about the application of Sarbanes-Oxley to private companies. In September 2004, ACB formally requested guidance from the Federal Deposit Insurance Corporation (“FDIC”) on the issue of internal control requirements for private FDICIA banks. In November 2004, ACB expressed concern to the PCAOB that Auditing Standard No. 2 was being applied to private companies, including community banks, by many external auditors.2 In response to similar industry concerns, on January 19, 2006, the AICPA issued for comment the ASB’s revised SSAE for private companies, which both incorporates comments received on the initial SSAE issued in March 2003 and reflects guidance from Auditing Standard No. 2. ACB appreciates this opportunity to provide feedback to the ASB on the revised SSAE as we believe this to be issue of utmost importance to our members. Increased Level of Oversight for Depository Institutions For the banking industry, professional guidelines for internal controls over financial reporting is not a new concept. Since 1993, depository institutions with $500 million or more in assets (“private FDICIA banks”) have been subject to internal control reporting and attestation requirements under FDICIA, which requires banks to have audited financial statements, an annual management assessment on internal controls, and an attestation of management’s assessment on internal controls by the external auditor. In 2005, the asset threshold exempting depository institutions from management’s assessment of internal controls and external auditor attestation was raised to $1 billion. Regulators felt comfortable with this approach since smaller institutions continue to be subject to the full scope of banking laws and regulations, required to have audited financial statements, an adequate internal control structure in place, and, most importantly, subject to regular safety and soundness examinations. In response to this regulatory and supervisory environment, privately held or closely held community banks are generally run more conservatively than companies in unregulated industries and the management teams typically have a very keen understanding of the risks facing the institutions and the controls in place to identify and manage those risks. ACB questions the necessity of having increased internal control regulations imposed on an industry that is already heavily regulated and subject to routine examination by government regulators on a regular basis. Therefore, ACB recommends that private FDICIA banks already subject to internal control reporting and attestation requirements under FDICIA be allowed to remain under the current attestation requirements and not be held to the increased level of oversight outlined in this proposal. One Size Fits All Approach The proposed SSAE does not make distinctions between private companies of varying size or complexity. This proposal is “applicable to and appropriate for examinations of the internal control of nonissuers, and useful to regulated entities, such as financial institutions, insurance companies, and governmental entities.” There is no distinction for applicability based on any sort of asset threshold or activity level, and therefore, all privately held companies would be subject to the same requirements. While it remains debatable whether this proposal is appropriate for larger, complex, private companies, it is certainly not appropriate for smaller, less complex, private companies. Applying the same requirements to all private companies will result in a greater resource and time burden for smaller companies in comparison to their larger competitors. Therefore, ACB recommends varying the application of the various portions of this SSAE based on both the asset size and complexity of the institution. This will begin to mitigate the concerns raised by uniform application across all types and sizes of private companies. Documentation Requirements The documentation requirements, as laid out in paragraphs 31 through 36 of this proposal, include definitions of what constitutes sufficient evidence related to management’s assertion about the effectiveness of internal controls. ACB believes that these requirements are largely excessive for many community banks and will provide less benefit to the entity or practitioner when compared with the amount of internal and financial resources necessary for preparing, maintaining or reviewing such records. Many smaller community banks simply do not have the means to fulfill these requirements without facing an undue burden. ACB agrees that management should be required to provide a practitioner with some form of documented evidence for all principal or material assertions. However, the scope and detailed components of the proposed documentation requirements will be beyond what is practical or necessary for management to communicate the basis for internal control assertions at the majority of community banks. For example, requiring that the design of internal controls be documented based on the five components of internal controls, as described in paragraph 59, is more costly and time consuming for management of smaller community banks than is necessary for audit practitioners to adequately evaluate management’s assertions. Therefore, we recommend scaling the documentation requirements to better fit the size and complexity of the institution. Timing for Implementation Paragraph 268 of the proposal states that “This Statement is effective when the subject matter or assertion is as of or for a period ending on or after December 15, 2006.” This implementation timeline leaves an inadequate amount of time for both the introduction of new internal control systems as well as modifications to existing internal control systems. All institutions subject to this proposal will most likely be faced with modifications, corrections, or additions to their current methodologies which will produce a significant quantity of necessary documentation prior to an annual audit. The proposed effective date does not adequately consider the workload ahead for these companies and should be pushed back to give more time for implementation. It should be noted that the SEC recognized the issues of compliance and extended the time frame for companies under a certain threshold. In not providing an adequate implementation period to digest the new rules, private companies that are well run could potentially be mislabeled as having inadequate internal controls. In addition to the implementation difficulties that the effected institutions are certain to be addressing in the proposed short timeframe, audit practitioners will need to be trained before they can be expected to effectively audit an entity while applying the new requirements to the entity’s internal controls. It is unreasonable to assume that the practitioners will be adequately prepared to enforce the proposal with the current effective date. Therefore, ACB strongly recommends that the SSAE become effective at least one year after it is finalized by the ASB. This would give management of the audited entities more of an opportunity to effectively implement or modify internal control systems as well as allowing time for the practitioners conducting the audits to be thoroughly trained for evaluating these systems. Conclusion ACB believes that revising the AICPA’s current internal control requirements is imperative in light of the recent implementation of the PCAOB’s Auditing Standard No. 2. However, as discussed above, the ASB has drawn too heavily on the PCAOB’s standards rather than developing appropriate requirements for private companies. ACB stresses the importance of recognizing the increased amount of oversight that exists for depository institutions in the already heavily regulated banking industry. We strongly believe that changes should be made to the proposal to mitigate the one-size-fits-all approach that will result from uniform application across private companies of all sizes and complexity levels. ACB feels that the documentation requirements should be scaled back to more appropriately reflect practicality and necessity for smaller private companies. Finally, the timing for implementation should be lengthened for the sake of both management and practitioners to at least one year following finalization. ACB appreciates the invitation to comment on this issue. If you have any questions about our comments, please do not hesitate to contact the undersigned at (202) 857-3158 or email at [email protected]. Sincerely, Jodie G. Goff
1America”s Community Bankers is the national trade association committed to
shapin future of banking by being the innovative industry leader strengthening
the competig thetive position of community banks. To learn more about ACB, visit
www.AmericasCommunityBankers.com. |
|
About
ACB |
Government Relations | Products
& Services | Affiliates
| Members
Area | ACB News Bank | In The Community | Tools & Resources | Contact Us | |
|
America’s Community Bankers 900 Nineteenth Street, NW, Suite 400,Washington, D.C. 20006 phone 202-857-3100 | fax 202-296-8716 | Contact Us Copyright 1996-2006 © America’s Community Bankers. All Rights Reserved. |
|
Important Legal Notice | Privacy Statement. |