April 6, 2016

Audit Response Letters:’s Centralization

Here’s something that Locke Lord’s Stan Keller & I recently wrote: is an electronic centralized service available to audit firms to outsource the audit confirmation process. This service is now being offered to process audit response letters. Under it, audit firms send audit letter requests to – and receive audit letter responses from – law firms of an auditor’s clients using the portal.

There are several issues that law firms have identified with this process (some real, some perhaps imagined) – and it’s a work in progress. A threshold concern for a law firm is the “terms of use” that the site purports to impose on users of the system. In its most recent form, several aspects of the “terms of use” present issues. It’s possible for law firms to individually negotiate these – but a more practical approach is for the bar as a whole to work with to come up with acceptable standard terms.

Another concern is getting comfortable that the request for confidential information is coming from – or is authorized – by the client. This can be addressed by an actual signed (albeit electronic) request from the client on the portal – or by a confirmatory email from the client (which might be done as a standing authorization). Also of concern is the confidentiality of the audit response letter on a third-party system (particularly when the letter describes loss contingency matters). considers its portal to be a mere conduit for transmission of information to the auditor – but unlike the mails or a delivery service, the information remains on the portal. The site also indicates that the security of its portal has been approved by a third-party rating service – and one might suspect it is no less secure than a law firm’s own servers. Finally, the question has been asked whether supplying the information to a third-party portal might affect the attorney-client privilege. However, most commenters believe that since the portal is not an intended recipient, this should not be a problem.

There are two aspects of the new system: one is for receipt of requests and the other is for transmission of law firm responses. The issues identified don’t necessarily relate to both aspects. Thus, if there is concern over confidentiality of responses, a request could be received through the portal – and the response could be handled the old-fashioned way. Some audit firms and companies appear to prefer the convenience of a centralized request system – and law firms may face pressure to accommodate those preferences. Indeed, for law firms that use a centralized approach for handling audit response requests, there can be advantages participating in the new electronic system because requests can more easily be directed to a designated person or group within the law firm.

For now, however, until the issues have been resolved, particularly concerns with the “terms of use,” many law firms are declining to participate for both requests and responses – instead, they are asking for requests directly from clients and responding with letters sent directly to the auditors. This may change over time.

I’m heading to Montreal tomorrow for the ABA Business Law Section’s Spring Meeting – the “Audit Responses Committee” meets on Saturday morning at 10 am & is on the agenda. Come on out…

Internal Controls: A Consultant Can’t Do Your Job

Here’s a note from Simpson Thacher’s Yafit Cohn (see the full memo):

Recently, the SEC settled an enforcement action against a company, its senior officers, audit engagement partner and consultant, due to alleged failures to “properly implement, maintain, and evaluate” internal controls over financial reporting. Here are three takeaways:

1. Listen to Your Consultants…But the Buck Stops with You – Management must give careful consideration to input from consultants, among other sources. However, management maintains ultimate responsibility for ICFR assessment, so management should not rely upon a consultant’s conclusions when it possesses knowledge suggesting that there may be a material weakness in the ICFR.

2. Heed the Rules – Management must properly evaluate the severity of any internal control deficiencies and correctly apply the standards codified by the SEC in determining the ICFR’s effectiveness. In particular, the SEC’s recent action reminds us that:
– The “presence of an actual error is not a prerequisite to concluding that a material weakness exists.” Rather, management must consider “whether there is a reasonable possibility that a material misstatement will not be timely detected or prevented.”
– The effectiveness of ICFR must be assessed as of the end of the fiscal reporting period, and thus, “[p]lanned or anticipated remedial efforts are irrelevant to the analysis.”

3. Documentation is Key – Management must create and maintain adequate documentation supporting any conclusions regarding the severity of any ICFR deficiency and the effectiveness of the company’s ICFR.

Transcript: “FAST Act – Gearing Up”

We’ve posted the transcript for our recent webcast: “FAST Act: Gearing Up.”

Broc Romanek