April 6, 2016
Audit Response Letters: Confirmation.com’s Centralization
Here’s something that Locke Lord’s Stan Keller & I recently wrote:
Confirmation.com is an electronic centralized service available to audit firms to outsource the audit confirmation process. This service is now being offered to process audit response letters. Under it, audit firms send audit letter requests to – and receive audit letter responses from – law firms of an auditor’s clients using the Conformation.com portal.
Another concern is getting comfortable that the request for confidential information is coming from – or is authorized – by the client. This can be addressed by an actual signed (albeit electronic) request from the client on the portal – or by a confirmatory email from the client (which might be done as a standing authorization). Also of concern is the confidentiality of the audit response letter on a third-party system (particularly when the letter describes loss contingency matters).
Confirmation.com considers its portal to be a mere conduit for transmission of information to the auditor – but unlike the mails or a delivery service, the information remains on the portal. The site also indicates that the security of its portal has been approved by a third-party rating service – and one might suspect it is no less secure than a law firm’s own servers. Finally, the question has been asked whether supplying the information to a third-party portal might affect the attorney-client privilege. However, most commenters believe that since the portal is not an intended recipient, this should not be a problem.
There are two aspects of the new system: one is for receipt of requests and the other is for transmission of law firm responses. The issues identified don’t necessarily relate to both aspects. Thus, if there is concern over confidentiality of responses, a request could be received through the portal – and the response could be handled the old-fashioned way. Some audit firms and companies appear to prefer the convenience of a centralized request system – and law firms may face pressure to accommodate those preferences. Indeed, for law firms that use a centralized approach for handling audit response requests, there can be advantages participating in the new electronic system because requests can more easily be directed to a designated person or group within the law firm.
I’m heading to Montreal tomorrow for the ABA Business Law Section’s Spring Meeting – the “Audit Responses Committee” meets on Saturday morning at 10 am & Confirmation.com is on the agenda. Come on out…
Internal Controls: A Consultant Can’t Do Your Job
Here’s a note from Simpson Thacher’s Yafit Cohn (see the full memo):
Recently, the SEC settled an enforcement action against a company, its senior officers, audit engagement partner and consultant, due to alleged failures to “properly implement, maintain, and evaluate” internal controls over financial reporting. Here are three takeaways:
1. Listen to Your Consultants…But the Buck Stops with You – Management must give careful consideration to input from consultants, among other sources. However, management maintains ultimate responsibility for ICFR assessment, so management should not rely upon a consultant’s conclusions when it possesses knowledge suggesting that there may be a material weakness in the ICFR.
2. Heed the Rules – Management must properly evaluate the severity of any internal control deficiencies and correctly apply the standards codified by the SEC in determining the ICFR’s effectiveness. In particular, the SEC’s recent action reminds us that:
– The “presence of an actual error is not a prerequisite to concluding that a material weakness exists.” Rather, management must consider “whether there is a reasonable possibility that a material misstatement will not be timely detected or prevented.”
– The effectiveness of ICFR must be assessed as of the end of the fiscal reporting period, and thus, “[p]lanned or anticipated remedial efforts are irrelevant to the analysis.”
3. Documentation is Key – Management must create and maintain adequate documentation supporting any conclusions regarding the severity of any ICFR deficiency and the effectiveness of the company’s ICFR.
Transcript: “FAST Act – Gearing Up”
We’ve posted the transcript for our recent webcast: “FAST Act: Gearing Up.”
– Broc Romanek