Accounting is not thought of as a high risk profession, but in the post-Sarbanes-Oxley world, reviewing the books has become far more risky than ever before. This week, federal bank regulatory agencies in the US issued a final interagency advisory on the "unsafe and unsound" use of limitation of liability provisions in external audit engagement letters. While not a formal rule, the advisory has the force of law because the regulators are allowed to issue guidelines regarding bank "safety and soundness" at any time, albeit after giving notice and allowing for public comment. Furthermore, banking regulatory Advisory rulings affect all institutions, public and private.
The provisions the agencies deem "unsafe and unsound" track the position taken by the SEC and Public Company Accounting Oversight Board with respect to auditor liability for public companies, but take on a more significant aspect for auditors given the special legal relationship between the regulators, the FDIC's insurance fund, and the privately owned banks. The regulators have already sued auditors over losses resulting from bank failures where clean audit opinions had been rendered, in some cases just months before prompt corrective action was begun. This advisory makes clear that regulators want to use the threat of unlimited liability to compel auditors to detect unsound banking lending and other unsafe practices.
To quote the language in notice from the Federal Register, the prohibited provisions can be generally categorized as an agreement by a financial institution that is a client of an external auditor to:
â¢ Indemnify the external auditor against claims made by third parties;
â¢ Hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution, other than claims for punitive damages; or
â¢ Limit the remedies available to the client financial institution, other than punitive damages.
Collectively, these categories of provisions are referred to in this Advisory as "limitation of liability provisions."
The notice continues: "Provisions that waive the right of financial institutions to seek punitive damages from their external auditor are not treated as unsafe and unsound under this Advisory. Nevertheless, agreements by clients to indemnify their auditors against any third party damage awards, including punitive damages, are deemed unsafe and unsound under this Advisory. To enhance transparency and market discipline, public financial institutions that agree to waive claims for punitive damages against their external auditors may want to disclose annually the nature of these arrangements in their proxy statements or other public reports. Many financial institutions are required to have their financial statements audited while others voluntarily choose to undergo such audits. For example, banks, savings associations, and credit unions with $500 million or more in total assets are required to have annual independent audits. Certain savings associations (for example, those with a CAMELS rating of 3, 4, or 5) and savings and loan holding companies are also required by OTS regulations to have annual independent audits. Furthermore, financial institutions that are public companies must have annual independent audits. The Agencies rely on the results of Audits as part of their assessment of the safety and soundness of a financial institution."
"In order for Audits to be effective, the external auditors must be independent in both fact and appearance, and must perform all necessary procedures to comply with auditing and attestation standards established by either the AICPA or, if applicable, the PCAOB. When financial institutions execute agreements that limit the external auditorsâ liability, the external auditorsâ objectivity, impartiality, and performance may be weakened or compromised, and the usefulness of the Audits for safety and soundness purposes may be diminished."
Of note, the regulators dismissed most of the objections raised by commentors regarding the advisory, in some cases rebuking them for a poor understanding of the issue. "Auditors, in their comments, expressed inconsistent interpretations of the meaning and scope of the SEC,PCAOB, and AICPA auditing standards relating to limitations of liability," the regulators stated in one of several rejoinders. "Agencies have concluded that supervisory guidance in addition to the existing auditing standards is necessary to carry out their safety and soundness mandate."
Preventive medicine is clearly the order of the day. "Several commenters asked the Agencies to provide examples of losses sustained by financial institutions as a result of limitation of liability provisions discussed in the Advisory. The Agenciesâ charge is to identify and mitigate the risk of loss to financial institutions, not merely to react after losses occur. Therefore, the appropriate standard to be applied in the Advisory is the risk of loss created by limitation of liability provisions, and not losses sustained by reason of such provisions. The Agencies do not believe that the Advisory would significantly affect the number of audit firms willing to provide external Audit services to financial institutions because limitation of liability provisions were not present in the majority of the engagement letters reviewed by the Agencies."
It seems that regulators are drawing a line in the sand for auditors of banks, putting a premium on early detection of unsound behavior. If the auditor detects bad acts and reports same to the regulators, odds are pretty good the auditor will be given the benefit of the doubt. But auditors that fail to flag fraud or other management behavior which leads to an unsafe or unsound condition within an insured depository institution shall bear the full burden of the liability risk.