Letters to Regulators
Implementation of Internal Control Reporting Provisions of the Sarbanes-Oxley Act of 2002
March 31, 2005
Jonathan G. Katz
Re: File Number 4-497; Implementation of Internal Control Reporting Provisions of the Sarbanes-Oxley Act of 2002
Dear Mr. Katz:
The Independent Community Bankers of America (ICBA)1 appreciates the opportunity to submit comments to the Securities and Exchange Commission concerning the implementation of the internal control provisions of Section 404 of the Sarbanes-Oxley Act of 2002 ("Sarbox").
ICBA commends the SEC for holding a roundtable discussion on the experiences that registrants and accounting firms are having with the implementation of Section 404. We believe that much can be learned from holding such discussions. We also commend the SEC for its recent action to delay by one year the effective date for complying with Section 404 for non-accelerated filers. The one-year delay will give smaller companies more time to implement the controls and to work out procedures with their accountants and their consultants on how the controls should be tested.
While ICBA supports the objectives of Sarbox of promoting greater integrity and responsibility in corporate financial reporting and disclosure, we are very concerned about the heavy regulatory burden that Section 404 is imposing on the community banking industry. Section 404 is straining the resources of publicly held community banks, impairing their profitability, weakening their capital, and making it difficult for them to compete with private banks and other providers of credit. In some instances, banks are going private to avoid complying with the requirements of Section 404 and the new Auditing Standard No. 2., An Audit of Internal Control Over Financial Reporting in Conjunction with an Audit of Financial Statements released by the Public Company Accounting Oversight Board (PCAOB) in March 2004.
ICBA urges the SEC and the PCAOB to adopt an exemption from Section 404 for community banks with assets of less than $1 billion. We also recommend that the application of Accounting Standard No. 2 be tiered to the size and complexity of the institution, so that so that community banks are not subject to the type of internal control testing and auditing that may be appropriate for a large bank but unnecessary to achieve the desired ends for a community bank. We also have other specific recommendations concerning the application of Accounting Standard No. 2 that are discussed below.
ICBA's Community Bank Survey Indicates that Section 404 of Sarbox Imposes a Heavy Regulatory Burden on Community Banks
ICBA recently completed a survey of its publicly held community banks throughout the United States to determine the costs of complying with the new internal control attestation requirements of Section 404 of Sarbox.2 Some of the highlights of the survey, which is attached to this letter, are as follows:
It is clear from the survey results that Section 404 of Sarbox is a major financial burden for publicly held community banks. Many of our bank members noted that banks are already heavily burdened with regulations and that Sarbox Section 404 has now substantially contributed to that burden. Several community bankers that responded were chief executive officers or presidents of recently formed banks and they were particularly critical of the costs of Section 404 of Sarbox, noting in some instances that the costs were going to push their profitability point a significant time into the future. One banker even said that the compliance burden of Sarbox contributed to the decision to sell the bank.
ICBA Supports an Exemption for Community Banks under Section 404
Banks have been subject to the internal control attestation requirements of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) since 19913. Those requirements exempt banks with assets of less than $500 million because federal banking regulators recognized that internal control reporting and attestation requirements for community banks would be unduly burdensome particularly since they were still subject to the full scope of banking laws and regulations, were still required to have an adequate internal control structure in place, and, most importantly, were subject to regular safety and soundness examinations. The FDIC is currently considering raising the FDICIA threshold so that banks with assets of less than $1 billion would be exempt from the internal control attestation requirements of Section 36 of the Federal Deposit Insurance Act.
We urge the SEC and the PCAOB to consider a similar exemption for publicly held community banks from Section 404. ICBA is concerned that Section 404 is straining the resources of many publicly held community banks, impairing their earnings and capital, and making it difficult for them to compete with private banks and other providers of credit. As our survey indicates, many of these banks are facing significant increases in their audit fees and outside consulting fees as a result of the new requirements. Public community banks are considering either going private or taking the drastic step of selling to avoid the requirements of Sarbox.4 Furthermore, Section 404 should be consistent with the internal control requirements imposed on banks by Section 36 of the Federal Deposit Insurance Act.
Representatives of the banking agencies have commented on the need for regulatory relief for community banks. In testimony before the Senate Banking Committee last year, FDIC Vice Chairman John Reich spoke about the crushing regulatory burden that threaten the survival of community banks and the need for immediate regulatory relief.5 Vice Chairman Reich has been overseeing an interagency project authorized under the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) to eliminate banking regulations that are considered outdated, unnecessary, or unduly burdensome. As part of the EGRPRA interagency effort to reduce banking regulations that are burdensome, ICBA urges the SEC and the PCAOB to also consider adopting an exemption for community banks with assets of less than $1 billion from the requirements of Section 404 of Sarbox.
Specific Comments Concerning Section 404 and Auditing Standard No. 2
ICBA recently surveyed its publicly held community bank members to find out their experiences with regard to the implementation of the internal control attestation requirements of Section 404. While most of ICBA's publicly held banks are non-accelerated filers whose experiences so far with Section 404 are relatively limited, we did receive a number of comments from accelerated filers as well as some non-accelerated filers who have completed most of their preparations to comply with the Section 404 requirements next year. Some of their specific comments and recommendations were as follows:
Excessive Testing and Documentation: Several banks indicated that the high cost of compliance with Section 404 was directly attributable to the excessive amount of testing and documentation required by Auditing Standard No. 2. As one banker noted, the "documenting of walk-throughs, control processes, and other testing was repetitive and resulted in unnecessary volume of documents, not to mention time consumption." In many instances, bankers felt that the testing went far beyond what was necessary to provide assurance of adequate controls for financial reporting.
Several bankers complained that the concept of "materiality" has changed as a result of the adoption of Auditing Standard No 2 and that accounting firms have gone overboard on their testing requirements, regardless of any cost/benefit considerations and regardless of materiality, to avoid any possible future criticism of the scope of testing. As our Community Bank Survey on the Costs of Section 404 of Sarbox has shown, this excessive testing has translated into much higher than necessary audit costs and internal costs in preparing data for the auditors. For instance, one banker noted that as part of its internal control audit, the bank's auditors insisted on being present as the bank printed its customer statements, stuffed them in envelopes, and carried them to the post office. In another instance, auditors insisted that they needed to test the records of 35 employees, which in this bank's case, was 25% of their workforce. When the bank questioned whether the sample size was too large, the auditors asserted that the size was based on the number of transactions rather than the number of employees. When asked what would be required if the bank had fewer than 35 employees, the auditors jokingly suggested that the bank would have to hire more people! In other instances, bankers say that the concept of "materiality" is so strict that auditors are examining processes and controls that are not related to financial reporting.
ICBA recommends that the PCAOB issue additional guidance on what should be considered "material" for an internal control audit. This guidance should be clear enough so that excessive testing would be curtailed and audit firms could be comfortable enough with testing only essential functions that are directly related to financial reporting. Furthermore, "materiality" should be defined as a threshold amount or a formula so that both management and the auditors understand what needs to be covered. At the outset of an audit, management should be able to meet with their auditors and mutually decide on what processes should be covered based on a clearly defined standard of "materiality."
Furthermore, ICBA recommends that the application of Accounting Standard No. 2 be tiered to the size and complexity of the institution, so that, for instance, the same amount and type of testing that is done at a large bank with numerous affiliates and subsidiaries is not done at a community bank. As noted above, an internal control audit of a community bank should not require the testing of records of 25% of a bank's workforce or cover 100% of its processes. In the case of a community bank, auditors should be comfortable with testing only those processes that are essential to the reporting of financial results.
Reliance on bank examiners and internal staff: Some of our banks complained that auditors were refusing to rely on the work done by internal staff, including internal auditors, as well as the audit work done by outside bank examiners. One of our bankers noted that his bank had an internal control function, a compliance function, a security function, and was examined by the Federal Reserve and the state's Bureau of Financial Institutions. Yet his bank had to spend thousands of dollars in audit expenses because the bank's auditor could not rely on much of the work that was done internally or by federal and state banking agencies as part of their examinations.
The PCAOB should allow auditors to rely more on bank examinations and internal staff work when internal control audits are performed. It makes no sense for an auditor to duplicate the work of a bank examiner or the work of an internal auditor. Specific guidance also should be issued by the PCAOB so that auditors understand when they can rely on the audit work performed internally or by outside banking regulators.
SAS 70 Reports: Many bankers noted that the auditors are now requiring SAS 70 reports from any service bureaus that perform third party data processing functions, no matter how material the data processing function is. Community banks often outsource many of their data processing functions to third parties. They are concerned about this reliance on the SAS 70 reports because they often have limited influence over the service provider's internal control structure, the corrective actions that may be required to remediate a material weakness in the provider's internal control, and the quality of the SAS 70 engagement performed to identify material weaknesses in the provider's internal control.
ICBA recommends that Auditing Standard No. 2 or SAS 70 be changed to allow the SAS 70 reports to be completed and dated prior to the fourth quarter. This would allow more time for a company to take steps if there are internal control weaknesses noted in the report. Currently, the standard requires that SAS 70 reports be dated in the fourth quarter. These reports are usually not distributed until late in the fourth quarter or early in the first quarter of the succeeding year. If there are any internal control weaknesses noted in the SAS 70 report, there is inadequate time for a company to take remedial steps with the third party service provider or to implement additional controls.
Communications between Auditors and Management: Several bankers noted that they were unable to ask questions of their auditors about their internal controls because the auditors claimed that there would be a conflict if they answered questions and rendered an opinion on the internal controls. In those instances, bankers were forced to incur the costs of seeking opinions from other consultants or accounting firms. Bankers also noticed that many auditing firms were constantly checking their national offices for answers concerning internal control questions and Accounting Standard No. 2.
ICBA recommends that the PCAOB issue further guidance on communications between auditors and management. Management should not have to seek the advice of third party consultants on internal control questions. Auditors should be free to give such advice and still render an opinion on the internal controls of a public company.
ICBA commends the Commission for actively pursuing feedback and recommendations to improve and streamline the Section 404 requirements. We believe that the SEC and the PCAOB must work to reduce the high costs of complying with Section 404 particularly for community banks. Our survey indicates that Section 404 of Sarbox is a major financial burden for an industry that is already heavily burdened by regulation. This burden is causing many community banks to consider going private or to sell or merge with other larger banks.
We urge the SEC and the PCAOB to follow the example of what the banking agencies have done with their internal control attestation requirements required under FDICIA and adopt an exemption from the requirements of Section 404 for publicly held community banks. We think that community banks with less than $1 billion in assets should be exempted. ICBA is concerned that Section 404 is straining the resources of many publicly held community banks, impairing their earnings and their capital, and making it difficult for them to compete with private banks and other providers of credit.
ICBA also recommends that the application of Accounting Standard No. 2 be tiered to the size and complexity of the institution so that community banks are not subject to the same type of internal control testing and audit that a large bank is subject to. We also recommend that the PCAOB issue more guidance on what should be considered "material" for an internal control audit so that excessive testing can be avoided. Auditors should be able to rely more on bank examinations as well as the work of internal auditors and other internal staff. Furthermore, ICBA recommends that the timing of SAS 70 reports be reviewed so that they can be dated prior to the fourth quarter and that further guidance should be issued by the PCAOB concerning communications between auditors and management.
If you have questions or need any additional information, please do not hesitate to contact me at 202-659-8111 or at Chris.Cole@icba.org.
1 The Independent Community Bankers of America represents the largest constituency of community banks of all sizes and charter types in the nation, and is dedicated exclusively to representing the interests of the community banking industry. ICBA aggregates the power of its members to provide a voice for community banking interests in Washington, resources to enhance community bank education and marketability, and profitability options to help community banks compete in an ever-changing marketplace.
With nearly 5,000 members, representing more than 17,000 locations nationwide and employing over 260,000 Americans, ICBA members hold more than $631 billion in insured deposits, $778 billion in assets and more than $493 billion in loans to consumers, small businesses and the agricultural community. For more information, visit ICBA's website at www.icba.org.
2 Independent Community Bankers of America surveyed ICBA-member, publicly held community banks throughout the United States from December 1, 2004 to February 25, 2005. Ninety-one banks responded to the survey, for a response rate of approximately 13%. The asset size of the respondents ranged from $21 million to almost $6 billion while the average size was approximately $482 million. Approximately three-fourths of those who participated in the study were "non-accelerated SEC filers", (e.g., those banks with public floats of less than $75 million) that must comply with Section 404 beginning in 2005. Most of the respondents (61%) were listed on one of the major exchanges but a large number of the respondents (39%) were "pink sheet" or "bulletin board" companies.
3 FDICIA amended Section 36 of the Federal Deposit Insurance Act (12 U.S.C. 1831m). All insured depository institutions that have assets of $500 million or more, whether or not they are public companies, are subject to the provisions of Section 36 of the Federal Deposit Insurance Act and the FDIC's implementing regulations and guidelines (12 CFR Part 363). Section 36 and Part 363 require an annual management report, and impose annual auditing and attestation, and audit committee requirements on covered depository institutions. Part 363 allows the holding company of a covered insured depository institution to fulfill these requirements for the institution. In addition, the FDIC's implementing guidelines reference and incorporate the SEC's requirements and interpretations concerning auditor independence.
4 A recent survey of Grant Thornton (Twelfth Annual Survey of Community Bank Executives 2005) indicated that 19% of all public banks were either very likely or likely to go private in the next three years.
5 See Statement of John M. Reich, Vice Chairman Federal Deposit Insurance Corporation, on Consideration of Regulatory Reform Proposals before the Committee on Banking, Housing and Urban Affairs United States Senate (June 22, 2004). Several surveys have tried to quantify the regulatory burden on community banks. In 1992, Grant Thornton, LLP conducted a study for ICBA on the cost of regulatory burden for community banks-the first to focus solely on compliance costs for community banks. At that time, the study showed the cost of complying with just 13 bank regulations was $3.2 billion, which represented a whopping 24% of net income before taxes. And these 13 regulations was just a fraction of the rules that govern the industry. More recently, a survey by a Federal Reserve Board economist in 1998 found that total regulatory costs account for 12 to 13 percent of banks' noninterest expense, or about $36 billion in 2003. See "The Cost of Bank Regulation: A Review of the Evidence," Gregory Elliehausen, Federal Reserve Bulletin, April 1998).