[Federal Register Volume 71, Number 27 (Thursday, February 9, 2006)] [Notices] [Pages 6847-6855] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 06-1189] ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY FEDERAL RESERVE SYSTEM FEDERAL DEPOSIT INSURANCE CORPORATION NATIONAL CREDIT UNION ADMINISTRATION [No. 2006-04] Office of the Comptroller of the Currency Office of Thrift Supervision Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters AGENCIES: Office of Thrift Supervision (OTS), Treasury; Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); National Credit Union Administration (NCUA); Office of the Comptroller of the Currency (OCC), Treasury. ACTION: Issuance of Interagency Advisory. ----------------------------------------------------------------------- SUMMARY: The OTS, Board, FDIC, NCUA, and OCC (collectively, the ``Agencies''), have finalized the Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters (``Advisory''). The Advisory informs financial institutions'' boards of directors, audit committees, and management that they should not enter into agreements that incorporate unsafe and unsound external auditor limitation of liability provisions with respect to engagements for financial statement audits, audits of internal control over financial reporting, and attestations on management's assessment of internal control over financial reporting. DATES: Effective Date: The Advisory is effective for engagement letters executed on or after February 9, 2006. FOR FURTHER INFORMATION CONTACT: OTS: Jeffrey J. Geer, Chief Accountant, at [email protected] or (202) 906-6363; or Patricia Hildebrand, Senior Policy Accountant, at [email protected] or (202) 906-7048. Board: Terrill Garrison, Supervisory Financial Analyst, at [email protected] or (202) 452-2712; or Nina A. Nichols, Assistant Director, at [email protected] or (202) 452-2961. FDIC: Harrison E. Greene, Jr., Senior Policy Analyst (Bank Accounting), Division of Supervision and Consumer Protection, at [email protected] or (202) 898-8905; or Michelle Borzillo, Counsel, Supervision and Legislation Section, Legal Division, at [email protected] or (202) 898-7400. NCUA: Karen Kelbly, Chief Accountant, at [email protected] or (703) 518-6389; or Steven Widerman, Trial Attorney, Office of General Counsel, at [email protected] or (703) 518-6557. OCC: Zane Blackburn, Chief Accountant, at [email protected] or (202) 874-4944; or Kathy Murphy, Deputy Chief Accountant, at [email protected] or (202) 874-5675. SUPPLEMENTARY INFORMATION: I. Background The Agencies have observed an increase in the types and frequency of provisions in financial institutions' external audit engagement letters that limit the auditors' liability. These provisions take many forms, but can generally be categorized as an agreement by a financial institution that is a client of an external auditor to:Indemnify the external auditor against claims made by third parties; Hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution; or Limit the remedies available to the client financial institution. Reliable financial and regulatory reporting supports the Agencies' risk-focused supervision of financial institutions by contributing to effective pre-examination planning and off-site monitoring and appropriate assessments of an institution's internal control over financial reporting, capital adequacy, financial condition, and performance. Audits play a valuable role in ensuring the reliability of institutions' financial information. The Agencies believe that when financial institutions agree to limit their external auditors' liability, either in provisions in engagement letters or in provisions that accompany alternative dispute resolution (ADR) agreements, such provisions may weaken the external auditors' objectivity, impartiality, and performance. The inclusion of such provisions in financial institutions' external audit engagement letters may reduce the reliability of audits and therefore raises safety and soundness concerns. On May 10, 2005, the Federal Financial Institutions Examinations Council (FFIEC) on behalf of the Agencies published in the Federal Register a proposed Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions and Certain Alternative Dispute Resolution Provisions in External Audit Engagement Letters (70 FR 24576) and sought comments to fully understand the effect of the proposed Advisory on financial institutions. II. Scope of Advisory The Advisory applies to engagement letters between financial institutions and external auditors with respect to financial statement audits, audits of internal control over financial reporting, and attestations on management's assessment of internal control over financial reporting (collectively, ``Audit'' or ``Audits''). The Advisory does not apply to: Non-audit services that may be performed by financial institutions' external auditors; Audits of financial institutions' 401K plans, pension plans, and other similar audits; Services performed by accountants who are not engaged to perform financial institutions' Audits (e.g., outsourced internal audits, loan reviews); and Other service providers (e.g., software consultants, legal advisors). The Advisory applies to all Audits of financial institutions, regardless of whether an institution is a public or a non-public company, including Audits required under Section 36 of the Federal Deposit Insurance Act, OTS regulations, or Section 202 of the Federal Credit Union Act, Audits required by any of the Agencies, and voluntary Audits. [[Page 6848]] III. Summary of Comments Overview The Agencies received 44 comment letters from auditors, financial institutions, trade organizations, attorneys, arbitration associations, and other interested parties. While public comments were requested on all aspects of the Advisory, the Agencies specifically sought comments on seven questions. Less than one third of all commenters addressed all seven questions. Most financial institutions and industry trade groups supported the proposed Advisory and commended the Agencies' efforts. A number of the commenters explained that limitation of liability provisions in audit engagement letters originate with external auditing firms rather than financial institutions. Most of the letters from external auditors opposed the proposal. External auditors explained that limitation of liability provisions are risk management tools commonly used in audit engagement pricing as well as in other business transactions. They asserted that such provisions allocate risk and facilitate a timely and cost effective means to resolve disputes while minimizing litigation expenses. Further, auditors stated that they should not be liable for losses resulting from knowing misrepresentations by the client's management. A number of commenters asked for clarification on the scope of the Advisory and on the application of the Advisory to ADR agreements (e.g., arbitration) and waivers of jury trials. The Agencies have addressed these comments in the Advisory. A number of commenters stated that the U.S. Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and the American Institute of Certified Public Accountants (AICPA) have established auditor independence rules and requirements; therefore, they asserted, the Advisory is not needed. Other commenters expressed a need for the SEC, PCAOB, and AICPA to clarify their guidance. On September 15, 2005, the AICPA published for comment its proposed interpretation of its auditor independence standards. In that proposal, the AICPA specifically identified limitation of liability provisions that impair auditor independence under its standards. Most of the provisions cited as unsafe and unsound in the Agencies' Advisory were also deemed to impair independence in the AICPA's proposed interpretation. Comments A. Application to Non-public Companies A number of commenters expressed concern that the Agencies were applying SEC and PCAOB auditor independence rules to Audits of non- public companies. The Agencies' audit rules for financial institutions generally reference both the AICPA and SEC auditor independence standards and already apply to many non-public institutions. Therefore, the concept of applying SEC auditor independence standards to non- public financial institutions is in place under existing bank and thrift audit regulations and is not the result of the issuance of the Advisory. Since safety and soundness concerns apply equally to all institutions' Audits, the Advisory does not establish different requirements for public and non-public financial institutions. B. Risk Management and Business Practices Auditors asserted that to the extent the Advisory would limit an auditor's ability to use risk allocation tools such as: (1) Capping damages; (2) restricting the time period to file a claim; (3) restricting the transfer or assignment of legal rights by an audit client; or (4) otherwise limiting the allocation of risk between contracting parties, the Advisory would result in auditors assuming more risk, which would lead to economic costs with no countervailing showing of benefits, such as improved audits. Auditors further stated that the Advisory largely ignores the interest that financial institutions have in obtaining professional and independent audit services within a framework of allocated risk. Further, auditors stated that the Advisory attempts to use safety and soundness as a means for setting auditor independence standards and limits the use of accepted business practices to manage disputes. In addition, the auditors and some financial institutions expressed concerns that the Advisory may result in an increase in costs and be a disincentive for financial institutions to continue to engage an auditor when not required to do so. The Agencies continue to believe that certain limitation of liability provisions reduce the auditor's accountability and thus may weaken the auditor's objectivity, impartiality, and performance. In the Agencies' judgment, concerns about potential increased costs or restrictions on the ability of the parties to an audit engagement letter to allocate risk do not outweigh the need to protect financial institutions from the safety and soundness concerns posed by such limitation of liability provisions. Furthermore, any disincentive for financial institutions to obtain Audits when not required should be limited because Audits represent best practices and are strongly encouraged by the Agencies. In addition, these limitations on external auditor liability may not be consistent with the auditor independence standards of the SEC, PCAOB, and AICPA. All financial institution Audits must comply with the independence standards set by one or more of these standard-setters. C. Management's Knowing Misrepresentations Many auditors asserted that the information provided to outside auditors is management's responsibility and that audit firms should not be liable unless fraudulent behavior or willful misconduct exists on the part of the auditor. Further, if management knowingly misrepresents significant facts to the external auditor, it is sometimes impossible for the auditor to uncover the true facts of a situation. The auditors asserted that they should be allowed to limit their liability when knowing misrepresentations of management contribute to the loss. Those commenters further stated that indemnification for management's knowing misrepresentations communicates a commitment that financial institution management and its governing board understand their responsibilities to perform honestly and legally. These commenters rejected the assertion that indemnifying auditors for management's knowing misrepresentations might cause an auditor to lose independence or to perform a less responsible audit. They also stated that protections that the client may provide against the client's own knowing misrepresentations do not preclude third parties from suing the auditor. Nevertheless, a clause that would release, indemnify, or hold an external auditor harmless from any liability resulting from knowing misrepresentations by management is inappropriate under the SEC's existing guidance on auditor independence (see Appendix B of the Advisory). The inclusion in external audit engagement letters of limitation of liability provisions that are prohibited by the auditor independence rules and interpretations of the SEC, PCAOB, or AICPA is considered an unsafe and unsound practice for financial [[Page 6849]] institutions. Provisions not clearly addressed by authoritative guidance may also raise safety and soundness concerns when there is a potential impairment of the external auditors' independence, objectivity, impartiality, or performance. The AICPA's Professional Standards, AU Section 110: Responsibilities and Functions of the Independent Auditor state: ``The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.'' The Agencies believe that including an indemnification or limitation of liability provision for the client's knowing misrepresentations, willful misconduct, or fraudulent behavior in an Audit engagement letter may not be viewed as consistent with the auditor's duty and obligation to comply with auditing standards. The Agencies acknowledge that management bears the responsibility for its conduct and representations. Nevertheless, the auditor has a responsibility to obtain reasonable assurance that the financial statements are free from material misstatements, including misstatements caused by management fraud. A limitation of liability provision in external Audit engagement letters for management's knowing misrepresentations, willful misconduct, or fraudulent behavior could act to reduce the auditor's professional skepticism. Limited liability could lead to inadvertent consequences such as an auditor not fully considering the possibility that management fraud exists. This might result in less robust challenges to and over-reliance on management's representations rather than performance of appropriate audit procedures to corroborate them. The Agencies believe that the auditor's potential liability related to material misstatements due to management's misrepresentations should be decided by a trier of fact in a legal or other proceeding and should not be predetermined in the engagement letter. The trier of fact would take into account whether the Audit was properly conducted in accordance with applicable auditing standards. D. Auditor Independence and Performance Standards Many auditors contended that various limitation of liability provisions addressed in the proposed Advisory would not impair their independence. For example, a large accounting firm stated, ``* * * the Proposal goes far beyond the independence standards established by the SEC, PCAOB, and AICPA.'' Another large accounting firm stated, ``Of the specific contractual terms identified for criticism in the proposal, some are already prohibited by the SEC for those entities subject to SEC regulation. Other contractual terms, however, are fully permissible and widely in use as tools to allocate risk.'' In contrast, other commenters contended that all of the provisions in the proposal impair an auditor's independence. This view was most clearly expressed in the comment letter from an independent proxy and financial research firm, which stated, ``We believe audit engagement letters containing liability limitations impair the auditor's independence and reduce audit quality to an unacceptable level.'' They further stated, ``We believe it is inappropriate for an audit contract between a company and its auditor to limit the auditor's liability including (1) Any limitations on rights to trial, (2) limits on compensatory or punitive damages, or (3) limits on discovery, including in arbitration.'' A number of commenters discussed the auditor's requirement to comply with auditing standards and stated that the failure to comply with such standards would result in the violation of the requirements of the SEC, PCAOB, AICPA, and/or state licensing authorities. Some commenters stated that adherence to professional auditing standards is further assured by periodic peer reviews and by PCAOB inspections. Commenters noted that auditors are subject to possible disciplinary action by state boards of accountancy, the SEC, the PCAOB, and the AICPA. These commenters concluded that the auditor's performance is controlled by professional standards and is not influenced by provisions in audit engagement letters that limit the auditor's liability. Consequently, they believed that the Advisory is unnecessary. The Agencies' observations lead them to conclude otherwise. Their concern is that limitation of liability provisions may adversely impact the reliability of Audits whether related to disincentives for auditor performance or impairment of auditor independence in fact or appearance. The Agencies have not attempted to categorize limitation of liability provisions that adversely affect safety and soundness as either matters of performance or independence. The Agencies acknowledge that the SEC, PCAOB, and AICPA set independence and performance standards for auditors. The Advisory does not purport to affect those standards. Regardless of whether limitation of liability provisions are permissible under auditor independence standards, the Agencies have a separate obligation to evaluate their impact on the safety and soundness of financial institutions. Some commenters questioned whether the Agencies have adequate evidence that limitation of liability provisions adversely affect auditor independence, objectivity, and performance. The Agencies acknowledge that it is inherently difficult to prove links from circumstances to states of mind and from there to performance. Nevertheless, the Agencies cannot wait for proof of harm before establishing guidance to ensure the safety and soundness of financial institutions. The Agencies must make judgments about circumstances that may render Audits less reliable. The Agencies' concern with the potential impact of such provisions is not only that an auditor might intentionally act less than appropriately, but might unconsciously do so. A reasonable person may believe that limitation of liability provisions create circumstances that may adversely affect Audit reliability. For example, a reasonable person may conclude that if the auditor faces less potential liability for the Audit, the auditor may be less thorough. Further, that knowledge may erode the auditor's independence of mind. The Agencies observe that the SEC has addressed limitations of liability in its independence rulings for more than 50 years. The AICPA also addresses limitations of liability in its independence standards and related interpretations. Additionally, many commenters stated that limitations of liability impair an auditor's independence. Auditors, in their comments, expressed inconsistent interpretations of the meaning and scope of the SEC, PCAOB, and AICPA auditing standards relating to limitations of liability. The Agencies have concluded that supervisory guidance in addition to the existing auditing standards is necessary to carry out their safety and soundness mandate. Because the Agencies rely on Audits to help ensure the safety and soundness of financial institutions, they are necessarily concerned with provisions that could affect the auditor's judgment and professional skepticism. Thus, the Agencies have concluded that since the limitation of liability provisions may adversely affect Audit reliability, such provisions are considered unsafe and unsound. [[Page 6850]] E. Waivers of Punitive Damages The comment letters included much discussion on punitive damage waivers. Some commenters stated that the Advisory should not prohibit these waivers. The AICPA's comment letter typified the views of the commenters advocating punitive damage waivers. The AICPA asserted, ``* * * limiting an auditor's liability to the client for punitive damage claims will not impair independence or objectivity, provided the auditor remains liable for actual damages--that is, the auditor remains exposed to clients, and also to lenders, shareholders, and other non- clients, for damages for any actual harm caused.'' Others noted that a waiver of punitive damages by the client has no bearing on punitive damages that may be sought by a third party. Several commenters stated that a financial institution's agreement to not seek punitive damages has no effect on the safety and soundness of a financial institution. Due in part to the extensive comments regarding client agreements not to seek punitive damages from their auditors, the Agencies have decided to take the issue under advisement. Accordingly, at this time, provisions that waive the right of financial institutions to seek punitive damages from their external auditor are not treated as unsafe and unsound under the Advisory. Nevertheless, the Agencies have concluded that agreements by financial institutions to indemnify their auditors for third party punitive damage awards are deemed unsafe and unsound. To enhance transparency and market discipline, public financial institutions that agree to waive claims for punitive damages against their external auditors may want to disclose annually the nature of these arrangements in their proxy statements or other public reports. F. Alternative Dispute Resolution Agreements and Waiver of Jury Trials The Advisory encourages all financial institutions to review proposed Audit engagement letters presented by audit firms and understand any limitations imposed by mandatory pre-dispute alternative dispute resolution agreements (ADR) (including arbitration agreements) or jury trial waivers on the institution's ability to recover damages from an audit firm in any future litigation. The Advisory also directs financial institutions to review rules of procedure referenced in ADR agreements to ensure that the potential consequences of such procedures are acceptable to the institution and to recognize that ADR agreements may themselves incorporate limitation of liability provisions. A number of commenters stated that the Advisory addresses mandatory ADR mechanisms and the waiver of jury trials in a way that will discourage financial institutions from agreeing in advance with their auditors to use these widely accepted, efficient, and cost effective means of resolving disputes. A few commenters noted that ADR and waiver of jury trial provisions do not take away rights; they merely reflect the parties' choice of a method for resolving a dispute. Further, commenters stated that the Agencies have previously issued pronouncements that recognize and even encourage the use of ADR, for example, the FDIC's Statement of Policy on Use of Binding Arbitration (66 FR 18632 (April 10, 2001)). The Interagency Policy Statement on the Internal Audit Function and its Outsourcing (issued by the OTS, Board, FDIC, and OCC in March 2003) provides that all written contracts between vendors and financial institutions shall prescribe a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the costs of consequential damages arising from errors, omissions, and negligence. Commenters also stated that ADR is commercially reasonable because it creates certainty and reduces litigation-related costs and, therefore, should be encouraged. The Agencies observed that limitation of liability provisions frequently accompanied ADR or waiver of jury trial agreements contained in or referenced by Audit engagement letters. The Agencies do not oppose ADR or waiver of jury trial agreements. However, the Agencies do object to the practice of including unsafe and unsound limitation of liability provisions in these agreements. In response to the comments received, the Agencies clarified that ADR or waiver of jury trial provisions in Audit engagement letters do not present safety and soundness concerns, provided the agreements do not incorporate limitation of liability provisions. Institutions should carefully review ADR and jury trial provisions in engagement letters, as well as any agreements regarding rules of procedure. ADR agreements should not include any unsafe and unsound limitation of liability provisions. The Advisory does not change or affect previously issued policies referencing ADR and does not encourage or discourage the use of ADR in Audit engagement letters. G. Legal Considerations Four commenters addressed legal aspects of the proposed Advisory. Two of the four commented that state and Federal laws explicitly permit limitation of liability or indemnification provisions. They indicated that these clauses are a common feature in many business and consumer contracts in wide use today. The Agencies note that Audits by their nature require a uniquely high level of objectivity and impartiality as compared to other types of business arrangements. Therefore, some commonly used limitation of liability provisions that may be acceptable for other business contracts are inappropriate for Audits of financial institutions. Another commenter stated that certain jurisdictions prohibit claims against auditors where management fraud is imputable to the client. The Advisory is not intended to override existing state or Federal laws that govern the types of damages that may be awarded by the courts. It advises financial institutions' boards of directors, audit committees, and management that they should not agree to any Audit engagement letters that may present safety and soundness concerns, including provisions that may violate the auditor independence standards of the SEC, PCAOB, or AICPA, as applicable. One commenter stated that the Agencies have not complied with the legal constraints on Federal agency rulemaking (e.g., the Administrative Procedures Act (APA) and Executive Order 12866) with the Advisory. The APA prohibits agency action that is, among other things, arbitrary and capricious. Executive Order 12866 provides that when a Federal agency engages in rulemaking, it must first determine whether a rule is necessary. The Agencies have authority to issue safety and soundness guidance without engaging in a formal rulemaking procedure. Under 12 U.S.C. 1831p-1(d)(1), the Agencies issue standards for safety and soundness by regulation or by guideline. The Advisory is issued under that authority and the supervisory authority vested in each of the Agencies. The Agencies have determined that there is a significant need for guidance based on their review of actual auditor engagement letters, the comments from financial institutions that strongly expressed a need for guidance, and the likely benefits as compared to the possible costs. [[Page 6851]] H. Other Considerations Several commenters expressed concern that, since the Advisory does not apply to other industries, financial institutions will not have a level playing field with other audit clients when negotiating audit engagement terms. In the Agencies' judgment, any concerns about potential increased costs or restrictions on the ability of financial institutions, as compared to other audit clients, to negotiate Audit engagement terms do not outweigh the need to protect financial institutions from safety and soundness concerns posed by limitation of liability provisions. Other commenters stated that auditors should only be liable for audits they perform. The commenters believed that a financial institution's engagement letter covers only the period under audit and that auditors should not be held responsible for losses arising in subsequent periods in which the auditor was not engaged. Further, losses that arise in subsequent periods that may be related to matters that existed during periods previously audited by another audit firm should not result in a liability to the successor audit firm. The Agencies concur with the concept that auditors are not responsible for the work of others. The Agencies object to provisions that are worded in a way that may not only preclude collection of consequential damages for harm in later years, but that may also preclude any recovery at all. For example, the Agencies observed provisions where no claim of liability could be brought against an auditor until the audit report is actually delivered, and then these provisions limited any liability thereafter to claims raised during the period covered by the audit. In other words, the auditor's liability may be limited to claims raised during the period before there could be any liability. Read more broadly, the auditor would be liable for losses that arise in subsequent years only if the auditor continued to audit subsequent periods. Several commenters asked the Agencies to provide examples of losses sustained by financial institutions as a result of limitation of liability provisions discussed in the Advisory. The Agencies' charge is to identify and mitigate the risk of loss to financial institutions, not merely to react after losses occur. Therefore, the appropriate standard to be applied in the Advisory is the risk of loss created by limitation of liability provisions, and not losses sustained by reason of such provisions. I. Questions, Comments, and Responses 1. The Advisory, as written, indicates that limitation of liability provisions are inappropriate for all financial institution external audits. a. Is the scope appropriate? If not, to which financial institutions should the Advisory apply and why? b. Should the Advisory apply to financial institution audits that are not required by law, regulation, or order? Comments and Responses: The vast majority of commenters stated that the Advisory should apply uniformly to audits of financial statements for all financial institutions. A few commenters stated that voluntary audits should not be subject to the provisions in the Advisory. Several commenters stated that the Advisory should apply to audits of all entities, not just financial institutions. Since the Agencies are concerned with the safety and soundness of all financial institutions, the Advisory applies to all Audits of financial institutions including voluntary Audits. Regarding the comments relative to the broader application of the Advisory, the Agencies do not have the authority to apply the Advisory to entities other than financial institutions. 2. What effects would the issuance of this Advisory have on financial institutions' ability to negotiate the terms of audit engagements? Comments and Responses: Several commenters stated that the Advisory will harm financial institutions' ability to negotiate the terms of audit engagements and therefore either result in higher audit costs or a lessened ability to negotiate on usual business terms. Other commenters stated that negotiations would be easier because auditors would not be able to force undesirable terms into engagement letters. The Agencies believe that the Advisory does not unduly affect the negotiating positions of the parties or pose undue burdens on auditors because these clauses did not exist in the majority of the engagement letters reviewed by the Agencies. 3. Would the Advisory on limitation of liability provisions result in an increase in external audit fees? a. If yes, would the increase be significant? b. Would it discourage financial institutions that voluntarily obtain audits from continuing to be audited? c. Would it result in fewer audit firms being willing to provide external audit services to financial institutions? Comments and Responses: The majority of commenters stated that audit fees would increase; however, the range of increase was judged to be anywhere from ``insignificant'' to ``dramatic.'' A few commenters stated that fees would remain the same because many auditors have performed audits without limitation of liability provisions for a very long period of time. Most commenters stated that an increase in audit fees would not discourage financial institutions from engaging auditors because Audits represent best business practices and because the benefits of Audits would continue to outweigh the costs. A few commenters said that the increase in fees would reduce the number of financial institutions that voluntarily obtain audits. More than half of the commenters expressed concern about the number of auditors willing to perform audits of financial institutions because of the inability to include limitation of liability provisions in the engagement letters. Several commenters noted that the use of such clauses furthers the public interest in reducing dispute resolution costs and ensures the availability of reasonably affordable audit services and the equitable distribution of financial risk. Commenters also noted that audit fees are determined by a variety of factors and engagement risk is a significant component. In the Agencies' judgment, any concerns about potential increased costs or restrictions on the ability of the parties to an Audit engagement letter to allocate risk do not outweigh the need to protect financial institutions from safety and soundness concerns posed by limitation of liability provisions. Furthermore, any disincentive for financial institutions to obtain Audits when not required should be limited because Audits represent best practices and are strongly encouraged by the Agencies. The Agencies do not believe that the Advisory would significantly affect the number of audit firms willing to provide external Audit services to financial institutions because limitation of liability provisions were not present in the majority of the engagement letters reviewed by the Agencies. 4. The Advisory describes three general categories of limitation of liability provisions. a. Is the description complete and accurate? b. Is there any aspect of the Advisory or terminology that needs clarification? Comments and Responses: The vast majority of commenters found the three general categories of limitation of liability provisions complete and accurate and did not express a need for [[Page 6852]] the Advisory or terminology to be clarified. It was apparent from the comments received that the discussion of ADR was unclear; the Agencies have clarified their position in the Advisory. 5. Appendix A of the Advisory contains examples of limitation of liability provisions. a. Do the examples clearly and sufficiently illustrate the types of provisions that are inappropriate? b. Are there other inappropriate limitation of liability provisions that should be included in the Advisory? If so, please provide examples. Comments and Responses: The vast majority of commenters found the examples of limitation of liability provisions to clearly and sufficiently illustrate the types of provisions that are inappropriate. A number of commenters stated that permitting an auditor and a client to agree to a release from or indemnification for claims resulting from knowing misrepresentations by management is fundamentally fair to the client and is a significant deterrent to management fraud. As discussed in section C. Management's Knowing Misrepresentations, the Agencies are not persuaded by the commenters' arguments. 6. Is there a valid business purpose for financial institutions to agree to any limitation of liability provision? If so, please describe the limitation of liability provision and its business purpose. Comments and Responses: Very few commenters directly responded to this question. Those commenters indicated there is not a valid business purpose for financial institutions to agree to any limitation of liability provision in audit engagements. 7. The Advisory strongly recommends that financial institutions take appropriate action to nullify limitation of liability provisions in 2005 audit engagement letters that have already been accepted. Is this recommendation appropriate? If not, please explain your rationale (including burden and cost). Comments and Responses: The vast majority of commenters stated that accepted audit engagement letters containing limitation of liability provisions should not require nullification for a number of reasons, including the fact that a contract negotiated in good faith should not be subject to renegotiation. The Agencies agreed with these comments. The Advisory applies to Audit engagement letters executed on or after February 9, 2006. Financial institutions are not required to nullify Audit engagement letters executed prior to February 9, 2006. If a financial institution has executed a multi-year Audit engagement letter prior to February 9, 2006 (e.g., covering years ending in 2007 or later), the Agencies encourage financial institutions to seek to amend the engagement letter to be consistent with the Advisory for any Audit periods ending in 2007 or later. IV. Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35), the Agencies have reviewed the Advisory and determined that it does not contain a collection of information pursuant to the Act. Text of Interagency Advisory The text of the Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters follows: Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters Purpose This Advisory, issued jointly by the Office of Thrift Supervision (OTS), the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) (collectively, the ``Agencies''), alerts financial institutions' \1\ boards of directors, audit committees, management, and external auditors to the safety and soundness implications of provisions that limit external auditors' liability in audit engagements. --------------------------------------------------------------------------- \1\ As used in this document, the term financial institutions includes banks, bank holding companies, savings associations, savings and loan holding companies, and credit unions. --------------------------------------------------------------------------- Limits on external auditors' liability may weaken the external auditors' objectivity, impartiality, and performance and, thus, reduce the Agencies' ability to rely on Audits. Therefore, certain limitation of liability provisions (described in this Advisory and Appendix A) are unsafe and unsound. In addition, such provisions may not be consistent with the auditor independence standards of the U.S. Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and the American Institute of Certified Public Accountants (AICPA). Scope This Advisory applies to engagement letters between financial institutions and external auditors with respect to financial statement audits, audits of internal control over financial reporting, and attestations on management's assessment of internal control over financial reporting (collectively, ``Audit'' or ``Audits''). This Advisory does not apply to: Non-Audit services that may be performed by financial institutions' external auditors; Audits of financial institutions' 401K plans, pension plans, and other similar audits; Services performed by accountants who are not engaged to perform financial institutions' Audits (e.g., outsourced internal audits, loan reviews); and Other service providers (e.g., software consultants, legal advisors). While the Agencies have observed several types of limitation of liability provisions in external Audit engagement letters, this Advisory applies to any agreement that a financial institution enters into with its external auditor that limits the external auditor's liability with respect to Audits in an unsafe and unsound manner. Background A properly conducted audit provides an independent and objective view of the reliability of a financial institution's financial statements. The external auditor's objective in an audit is to form an opinion on the financial statements taken as a whole. When planning and performing the audit, the external auditor considers the financial institution's internal control over financial reporting. Generally, the external auditor communicates any identified deficiencies in internal control to management, which enables management to take appropriate corrective action. In addition, certain financial institutions are required to file audited financial statements and internal control audit/attestation reports with one or more of the Agencies. The Agencies encourage financial institutions not subject to mandatory audit requirements to voluntarily obtain audits of their financial statements. The Federal Financial Institutions Examination Council's (FFIEC) Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations \2\ notes, ``[a]n institution's internal and external audit programs are critical to its safety and soundness.'' The Policy also states that an effective external auditing program ``can improve the safety and soundness [[Page 6853]] of an institution substantially and lessen the risk the institution poses to the insurance funds administered by the Federal Deposit Insurance Corporation (FDIC).'' --------------------------------------------------------------------------- \2\ Published in the Federal Register on September 28, 1999 (64 FR 52319). The NCUA, a member of the FFIEC, has not adopted the policy statement. --------------------------------------------------------------------------- Typically, a written engagement letter is used to establish an understanding between the external auditor and the financial institution regarding the services to be performed in connection with the financial institution's audit. The engagement letter commonly describes the objective of the audit, the reports to be prepared, the responsibilities of management and the external auditor, and other significant arrangements (e.g., fees and billing). The Agencies encourage boards of directors, audit committees, and management to closely review all of the provisions in the audit engagement letter before agreeing to sign. As with all agreements that affect a financial institution's legal rights, legal counsel should carefully review audit engagement letters to help ensure that those charged with engaging the external auditor make a fully informed decision. While the Agencies have not observed provisions that limit an external auditor's liability in the majority of external audit engagement letters reviewed, they have observed a significant increase in the types and frequency of these provisions. These provisions take many forms, making it impractical to provide an all-inclusive list. This Advisory describes the types of objectionable limitation of liability provisions and provides examples.\3\ --------------------------------------------------------------------------- \3\ Examples of auditor limitation of liability provisions are illustrated in Appendix A. --------------------------------------------------------------------------- Financial institutions' boards of directors, audit committees, and management should also be aware that certain insurance policies (such as error and omission policies and director and officer liability policies) might not cover losses arising from claims that are precluded by limitation of liability provisions. Limitation of Liability Provisions The provisions the Agencies deem unsafe and unsound can be generally categorized as an agreement by a financial institution that is a client of an external auditor to: Indemnify the external auditor against claims made by third parties; Hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution, other than claims for punitive damages; or Limit the remedies available to the client financial institution, other than punitive damages. Collectively, these categories of provisions are referred to in this Advisory as ``limitation of liability provisions.'' Provisions that waive the right of financial institutions to seek punitive damages from their external auditor are not treated as unsafe and unsound under this Advisory. Nevertheless, agreements by clients to indemnify their auditors against any third party damage awards, including punitive damages, are deemed unsafe and unsound under this Advisory. To enhance transparency and market discipline, public financial institutions that agree to waive claims for punitive damages against their external auditors may want to disclose annually the nature of these arrangements in their proxy statements or other public reports. Many financial institutions are required to have their financial statements audited while others voluntarily choose to undergo such audits. For example, banks, savings associations, and credit unions with $500 million or more in total assets are required to have annual independent audits.\4\ Certain savings associations (for example, those with a CAMELS rating of 3, 4, or 5) and savings and loan holding companies are also required by OTS regulations to have annual independent audits.\5\ Furthermore, financial institutions that are public companies \6\ must have annual independent audits. The Agencies rely on the results of Audits as part of their assessment of the safety and soundness of a financial institution. --------------------------------------------------------------------------- \4\ For banks and savings associations, see Section 36 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and Part 363 of the FDIC's regulations (12 CFR Part 363). For credit unions, see Section 202(a)(6) of the Federal Credit Union Act (12 U.S.C. 1782(a)(6)) and Part 715 of the NCUA's regulations (12 CFR Part 715). \5\ See OTS regulation at 12 CFR 562.4. \6\ Public companies are companies subject to the reporting requirements of the Securities Exchange Act of 1934. --------------------------------------------------------------------------- In order for Audits to be effective, the external auditors must be independent in both fact and appearance, and must perform all necessary procedures to comply with auditing and attestation standards established by either the AICPA or, if applicable, the PCAOB. When financial institutions execute agreements that limit the external auditors' liability, the external auditors' objectivity, impartiality, and performance may be weakened or compromised, and the usefulness of the Audits for safety and soundness purposes may be diminished. By their very nature, limitation of liability provisions can remove or greatly weaken external auditors' objective and unbiased consideration of problems encountered in audit engagements and may diminish auditors' adherence to the standards of objectivity and impartiality required in the performance of Audits. The existence of such provisions in external audit engagement letters may lead to the use of less extensive or less thorough procedures than would otherwise be followed, thereby reducing the reliability of Audits. Accordingly, financial institutions should not enter into external audit arrangements that include unsafe and unsound limitation of liability provisions identified in this Advisory, regardless of (1) The size of the financial institution, (2) whether the financial institution is public or not, or (3) whether the external audit is required or voluntary. Auditor Independence Currently, auditor independence standard-setters include the SEC, PCAOB, and AICPA. Depending upon the audit client, an external auditor is subject to the independence standards issued by one or more of these standard-setters. For all credit unions under the NCUA's regulations, and for other non-public financial institutions that are not required to have annual independent audits pursuant to either Part 363 of the FDIC's regulations or Sec. 562.4 of the OTS's regulations, the Agencies' rules require only that an external auditor meet the AICPA independence standards; they do not require the financial institution's external auditor to comply with the independence standards of the SEC and the PCAOB. In contrast, for financial institutions subject to the audit requirements either in Part 363 of the FDIC's regulations or in Sec. 562.4 of the OTS's regulations, the external auditor should be in compliance with the AICPA's Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff.\7\ In this regard, in a December 13, 2004, Frequently Asked Question (FAQ) on the application of the SEC's auditor independence rules, the SEC staff reiterated its long-standing position that when an accountant and his or her client enter into an agreement which seeks to provide the accountant immunity from liability for his or her [[Page 6854]] own negligent acts, the accountant is not independent. The FAQ also states that including in engagement letters a clause that would release, indemnify, or hold the auditor harmless from any liability and costs resulting from knowing misrepresentations by management would impair the auditor's independence.\8\ The SEC's FAQ is consistent with Section 602.02.f.i. (Indemnification by Client) of the SEC's Codification of Financial Reporting Policies. (Section 602.02.f.i. and the FAQ are included in Appendix B.) --------------------------------------------------------------------------- \7\ See FDIC Regulation 12 CFR Part 363, Appendix A--Guidelines and Interpretations; Guideline 14, Role of the Independent Public Accountant--Independence; and OTS Regulation 12 CFR 562.4(d)(3)(i), Qualifications for independent public accountants. \8\ In contrast to the SEC's position, AICPA Ethics Ruling 94 (ET Sec. 191.188-189) currently concludes that indemnification for ``knowing misrepresentations by management'' does not impair independence. On September 15, 2005, the AICPA published for comment its proposed interpretation of its auditor independence standards. In that proposal the AICPA specifically identified limitation of liability provisions that impair auditor independence under the AICPA's standards. Most of the provisions cited in this Advisory were deemed to impair independence in the AICPA's proposed interpretation. At this writing, the AICPA has not issued a final interpretation. --------------------------------------------------------------------------- Based on this SEC guidance and the Agencies' existing regulations, certain limits on auditors' liability are already inappropriate in audit engagement letters entered into by: Public financial institutions that file reports with the SEC or with the Agencies; Financial institutions subject to Part 363; and Certain other financial institutions that OTS regulations (12 CFR 562.4) require to have annual independent audits. In addition, certain of these limits on auditors' liability may violate the AICPA independence standards. Notwithstanding the potential applicability of auditor independence standards, the limitation of liability provisions discussed in this Advisory present safety and soundness concerns for all financial institution Audits. Alternative Dispute Resolution Agreements and Jury Trial Waivers The Agencies have observed that some financial institutions have agreed in engagement letters to submit disputes over external audit services to mandatory and binding alternative dispute resolution, binding arbitration, other binding non-judicial dispute resolution processes (collectively, ``mandatory ADR'') or to waive the right to a jury trial. By agreeing in advance to submit disputes to mandatory ADR, financial institutions may waive the right to full discovery, limit appellate review, or limit or waive other rights and protections available in ordinary litigation proceedings. The Agencies recognize that mandatory ADR procedures and jury trial waivers may be efficient and cost-effective tools for resolving disputes in some cases. Accordingly, the Agencies believe that mandatory ADR or waiver of jury trial provisions in external Audit engagement letters do not present safety and soundness concerns, provided that the engagement letters do not also incorporate limitation of liability provisions. The Agencies encourage institutions to carefully review mandatory ADR and jury trial provisions in engagement letters, as well as any agreements regarding rules of procedure, and to fully comprehend the ramifications of any agreement to waive any available remedies. Financial institutions should ensure that any mandatory ADR provisions in Audit engagement letters are commercially reasonable and: Apply equally to all parties; Provide a fair process (e.g., neutral decision-makers and appropriate hearing procedures); and Are not imposed in a coercive manner. Conclusion Financial institutions' boards of directors, audit committees, and management should not enter into any agreement that incorporates limitation of liability provisions with respect to Audits. In addition, financial institutions should document their business rationale for agreeing to any other provisions that limit their legal rights. This Advisory applies to engagement letters executed on or after February 9, 2006. The inclusion of limitation of liability provisions in external Audit engagement letters and other agreements that are inconsistent with this Advisory will generally be considered an unsafe and unsound practice. The Agencies' examiners will consider the policies, processes, and personnel surrounding a financial institution's external auditing program in determining whether (1) the engagement letter covering external auditing activities raises any safety and soundness concerns, and (2) the external auditor maintains appropriate independence regarding relationships with the financial institution under relevant professional standards. The Agencies may take appropriate supervisory action if unsafe and unsound limitation of liability provisions are included in external Audit engagement letters or other agreements related to Audits that are executed (accepted or agreed to by the financial institution) on or after February 9, 2006. Appendix A Examples of Unsafe and Unsound Limitation of Liability Provisions Presented below are some of the types of limitation of liability provisions (with an illustrative example of each type) that the Agencies observed in financial institutions' external audit engagement letters. The inclusion in external Audit engagement letters or agreements related to Audits of any of the illustrative provisions (which do not represent an all-inclusive list) or any other language that would produce similar effects is considered an unsafe and unsound practice. 1. ``Release From Liability for Auditor Negligence'' Provision In this type of provision, the financial institution agrees not to hold the audit firm liable for any damages, except to the extent determined to have resulted from willful misconduct or fraudulent behavior by the audit firm. Example: In no event shall [the audit firm] be liable to the Financial Institution, whether a claim be in tort, contract or otherwise, for any consequential, indirect, lost profit, or similar damages relating to [the audit firm's] services provided under this engagement letter, except to the extent finally determined to have resulted from the willful misconduct or fraudulent behavior of [the audit firm] relating to such services. 2. ``No Damages'' Provision In this type of provision, the financial institution agrees that in no event will the external audit firm's liability include responsibility for any compensatory (incidental or consequential) damages claimed by the financial institution. Example: In no event will [the audit firm's] liability under the terms of this Agreement include responsibility for any claimed incidental or consequential damages. 3. ``Limitation of Period To File Claim'' Provision In this type of provision, the financial institution agrees that no claim will be asserted after a fixed period of time that is shorter than the applicable statute of limitations, effectively agreeing to limit the financial institution's rights in filing a claim. Example: It is agreed by the Financial Institution and [the audit firm] or any successors in interest that no claim arising out of services rendered pursuant to this agreement by, or on behalf of, the Financial Institution shall be asserted more than two years after the date of the last audit report issued by [the audit firm]. 4. ``Losses Occurring During Periods Audited'' Provision In this type of provision, the financial institution agrees that the external audit firm's liability will be limited to any losses occurring during periods covered by the external audit, and will not include any losses occurring in later periods for which the external audit firm is not engaged. This provision may not only preclude the collection of consequential damages for harm in later years, but could preclude any recovery at all. It appears that no claim of [[Page 6855]] liability could be brought against the external audit firm until the external audit report is actually delivered. Under such a clause, any claim for liability thereafter might be precluded because the losses did not occur during the period covered by the external audit. In other words, it might limit the external audit firm's liability to a period before there could be any liability. Read more broadly, the external audit firm might be liable for losses that arise in subsequent years only if the firm continues to be engaged to audit the client's financial statements in those years. Example: In the event the Financial Institution is dissatisfied with [the audit firm's] services, it is understood that [the audit firm's] liability, if any, arising from this engagement will be limited to any losses occurring during the periods covered by [the audit firm's] audit, and shall not include any losses occurring in later periods for which [the audit firm] is not engaged as auditors. 5. ``No Assignment or Transfer'' Provision In this type of provision, the financial institution agrees that it will not assign or transfer any claim against the external audit firm to another party. This provision could limit the ability of another party to pursue a claim against the external auditor in a sale or merger of the financial institution, in a sale of certain assets or a line of business of the financial institution, or in a supervisory merger or receivership of the financial institution. This provision may also prevent the financial institution from subrogating a claim against its external auditor to the financial institution's insurer under its directors' and officers' liability or other insurance coverage. Example: The Financial Institution agrees that it will not, directly or indirectly, agree to assign or transfer any claim against [the audit firm] arising out of this engagement to anyone. 6. ``Knowing Misrepresentations by Management'' Provision In this type of provision, the financial institution releases and indemnifies the external audit firm from any claims, liabilities, and costs attributable to any knowing misrepresentation by management. Example: Because of the importance of oral and written management representations to an effective audit, the Financial Institution releases and indemnifies [the audit firm] and its personnel from any and all claims, liabilities, costs, and expenses attributable to any knowing misrepresentation by management. 7. ``Indemnification for Management Negligence'' Provision In this type of provision, the financial institution agrees to protect the external auditor from third party claims arising from the external audit firm's failure to discover negligent conduct by management. It would also reinforce the defense of contributory negligence in cases in which the financial institution brings an action against its external auditor. In either case, the contractual defense would insulate the external audit firm from claims for damages even if the reason the external auditor failed to discover the negligent conduct was a failure to conduct the external audit in accordance with generally accepted auditing standards or other applicable professional standards. Example: The Financial Institution shall indemnify, hold harmless and defend [the audit firm] and its authorized agents, partners and employees from and against any and all claims, damages, demands, actions, costs and charges arising out of, or by reason of, the Financial Institution's negligent acts or failure to act hereunder. 8. ``Damages Not to Exceed Fees Paid'' Provision In this type of provision, the financial institution agrees to limit the external auditor's liability to the amount of audit fees the financial institution paid the external auditor, regardless of the extent of damages. This may result in a substantial unrecoverable loss or cost to the financial institution. Example: [The audit firm] shall not be liable for any claim for damages arising out of or in connection with any services provided herein to the Financial Institution in an amount greater than the amount of fees actually paid to [the audit firm] with respect to the services directly relating to and forming the basis of such claim. Note: The Agencies also observed a similar provision that limited damages to a predetermined amount not related to fees paid. Appendix B SEC's Codification of Financial Reporting Policies, Section 602.02.f.i and the SEC's December 13, 2004, FAQ on Auditor Independence Section 602.02.f.i--Indemnification by Client, 3 Fed. Sec. L. (CCH) ] 38,335, at 38,603-17 (2003) Inquiry was made as to whether an accountant who certifies financial statements included in a registration statement or annual report filed with the Commission under the Securities Act or the Exchange Act would be considered independent if he had entered into an indemnity agreement with the registrant. In the particular illustration cited, the board of directors of the registrant formally approved the filing of a registration statement with the Commission and agreed to indemnify and save harmless each and every accountant who certified any part of such statement, ``from any and all losses, claims, damages or liabilities arising out of such act or acts to which they or any of them may become subject under the Securities Act, as amended, or at `common law,' other than for their willful misstatements or omissions.'' When an accountant and his client, directly or through an affiliate, have entered into an agreement of indemnity which seeks to assure to the accountant immunity from liability for his own negligent acts, whether of omission or commission, one of the major stimuli to objective and unbiased consideration of the problems encountered in a particular engagement is removed or greatly weakened. Such condition must frequently induce a departure from the standards of objectivity and impartiality which the concept of independence implies. In such difficult matters, for example, as the determination of the scope of audit necessary, existence of such an agreement may easily lead to the use of less extensive or thorough procedures than would otherwise be followed. In other cases it may result in a failure to appraise with professional acumen the information disclosed by the examination. Consequently, the accountant cannot be recognized as independent for the purpose of certifying the financial statements of the corporation. (Emphasis added.) U.S. Securities and Exchange Commission; Office of the Chief Accountant: Application of the Commission's Rules on Auditor Independence Frequently Asked Questions; Other Matters--Question 4 (issued December 13, 2004) Q: Has there been any change in the Commission's long standing view (Financial Reporting Policies--Section 600--602.02.f.i. ``Indemnification by Client'') that when an accountant enters into an indemnity agreement with the registrant, his or her independence would come into question? A: No. When an accountant and his or her client, directly or through an affiliate, enter into an agreement of indemnity that seeks to provide the accountant immunity from liability for his or her own negligent acts, whether of omission or commission, the accountant is not independent. Further, including in engagement letters a clause that a registrant would release, indemnify or hold harmless from any liability and costs resulting from knowing misrepresentations by management would also impair the firm's independence. (Emphasis added.) Dated: February 1, 2006. By the Office of Thrift Supervision, John M. Reich, Director. By order of the Board of Governors of the Federal Reserve System, February 1, 2006. Jennifer J. Johnson, Secretary of the Board. Dated at Washington, DC, the 2nd day of February, 2006. By order of the Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. By the National Credit Union Administration Board on January 31, 2006. Mary F. Rupp, Secretary of the Board. Dated: February 1, 2006. John C. Dugan, Comptroller of the Currency. [FR Doc. 06-1189 Filed 2-8-06; 8:45 am] BILLING CODES 6720-01-P; 6210-01-P; 6714-01-P; 7535-01-P; 4810-33-P