A major category of banned non-audit services that is missing from all the discussion and proposed rules is "management consulting". Companies and investors have already construed that "management consultants" are acting in the capacity of an employee and are often advocates of the client. Most large public accounting firms have already recognized the inherent conflict and have sold these practices. Many public companies like Raytheon and Walt Disney have already stated that these services cannot be purchased from their external audit firm. The SEC should add this category to the prohibited non-audit services.

The following Table includes typical services provided by large public accounting firms. Some of these services may no longer be provided as the practices were sold. Nevertheless, the SEC should strongly consider application of their adopted principles against each of these services to determine if these non-audit services when performed by a public accounting firm would impair independence. Here is one CPA's application of the principles.

Public Accounting Firm Professional Services

Public Accounting Firm Professional Services Potential Non-Audit Service Prohibitions
M=Acts as Employee A=Audit Own Work AD=Acts as Advocate P=Acts as Promoter	Allowed?	Allowed?	Reason Code
Assurance & Advisory Services	Yes	No
Statutory Audit	X
Financial Audit/Financial Control Review	X
Strategic Risk		X	M
Financial Risk	X
Operational Risk		X	M
Financial System Risk	X
Non Financial System Risk		X	M
Environmental Risk		X	M
Compliance Risk		X	M
Internal Audit		X	M,A
Technology Risk		X	M,A
Deal Due Diligence - Financial	X
Deal Due Diligence - Non Financial		X	M
Post Integration Services		X	M
Management Consulting
Business Strategy		X	M
Information Technology Services		X	M
Operational Strategy		X	M
Global Benchmarking		X	M
Customer Relationship Management		X	M
Human Resource Management		X	M
Enterprise System Planning & Implementation		X	M
Information Systems Integration		X	M
Cost Reduction		X	M
Tax & Legal Services
Tax Planning		X	A,AD
Tax Accounting Attest	X
Tax Preparation		X	M
Assurance & Advisory Services	Yes	No
Sales & Use Tax		X	A,AD
Property Tax		X	A,AD
Value Added Tax (VAT)		X	A,AD
Tax Management and Process		X	A,AD
Expatriate Tax			M
Personal Financial			AD
Financial Advisory Services
Investment Banking Services		X	P,AD
Business Recovery Services		X	AD
Dispute Analysis & Investigation		X	AD
Merger & Acquisitions		X	P,AD
Human Resource Services	Yes	No
Retirement Program Consulting		X	A,AD
Healthcare Solutions		X	A,AD
HR Outsourcing		X	M,A
ERISA Compliance Services		X	M,A
Organizational Development		X	M,A, AD
Business Process Outsourcing
Finance & Accounting		X	A,M
Internal Audit		X	A,M
Tax Compliance		X	A,M
Application Processing		X	A,M
Human Resources		X	A,M
Real Estate Services		X	A,M

• Is the meaning of the general principles sufficiently clear?

  The human resource examples used to demonstrate the inherent conflict minimize the other more significant areas where the public accounting firms have acted as management or employees including management consulting, internal audit, tax preparation outsourcing, tax consulting, risk consulting and business process outsourcing. It would not be difficult to provide the Audit Committees with more detailed analysis of what services should be prohibited based on the principles (see chart above as an example).

2. Financial Information Systems Design and Implementation

• Is an auditor's independence impaired when the auditor helps select or test computer software and hardware systems that generate financial data used in or underlying the financial statements? Why or why not?

Independence is impaired because the auditor helped design and test computer hardware and software controls and procedures that ultimately they will have to attest to. This is management's responsibility and the auditor is acting as an employee as well as auditing his or her own work.

• Whether a system is used to generate information that is "significant" to the audit client's financial statements may depend on the size of the engagement. Does the magnitude as a percentage of either audit fees or total fees of the fees for such services make a difference on whether performance of the service impairs independence?

Virtually all application and/or system data eventually result in financial information that the auditor reviews. Purchasing, Manufacturing, Inventory, Sales, Disbursement, HR/Payroll and Treasury applications are all integral sources of financial results. It would make more sense to prohibit all hardware and software selection, design and implementation services. This would ease the burden on the Audit Committee and management and there are numerous providers who could do this independently with high quality.

5. Internal Audit Outsourcing

Proposed Rule 2-01(c)(4)(v) provides that an auditor is not independent when the auditor performs internal audit services related to the internal accounting controls, financial systems, or financial statements, for an audit client.

This rule needs significant revision. This rule will allow the public accountant (auditor) to perform full outsourcing of the internal audit function. How? The public accountant would be permitted to review the internal accounting control, financial system evaluations and financial reporting as part of the attestation engagement. The public accountants' internal audit practice would be permitted to perform all other risk assessment, strategic, operational and compliance audits and related special projects. This is exactly the scenario that occurred at Enron with Arthur Andersen. This is exactly the scenario that was the impetus for the SOA.

This proposed rule violates the independence principles espoused by the SOA and adopted by the SEC. A public accounting firm cannot function in a management or employee capacity. Also, it is reasonable to expect and customary practice that the internal audit work performed by the public accountant will come under consideration and be relied upon by the external auditor as they assess the internal accounting control environment and opine on the fair presentation of financial results, violating another principle of auditing your own work.

Each Chairman of the 4 remaining large public accounting firms has already said they will not perform internal audit outsourcing services for their attest clients. They understand the inherent conflict that exists. The intent of Sarbanes-Oxley is to prohibit all internal audit outsourcing services versus the previous rule enacted in February 2001 that permitted internal audit outsourcing of about 75% (SEC estimate) of a company's internal audit program.

In developing this rule the SEC did not apply the principles that it has espoused. This significant oversight has to be changed otherwise there is a missed opportunity for reform and future Enron/Anderson conflicts will not be prevented.

The rule should read as follows:

Proposed Rule 2-01(c)(4)(v) provides that an auditor is not independent when the auditor performs any internal audit services as defined by the Institute of Internal Auditors for an audit client.

This does not include nonrecurring evaluations of discrete items or programs that are not in substance the outsourcing of the internal audit function. It also does not include operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements.

Under what principle is this statement based? Under what authority was this language taken from?

We are concerned about the effect of the proposed rule on small businesses that have no internal audit department or staff. Smaller firms may not have sufficient need for full-time internal auditors but nonetheless, may need some services that internal auditors typically provide, which they obtain from their external auditors. We understand that, unless these companies can turn to their external auditors, the work may not be done at all or only at a significant cost to the company because the company would have to engage a separate accounting firm to provide these services.⁴²

There are many internal audit firms that are well qualified to do this work. In fact, the trend is to utilize independent, internal audit firms, versus the public accounting firms. Right now these firms provide internal audit services to numerous large and small companies. The clients benefit as these services are delivered by more experienced professionals at competitive rates. This is a very attractive alternative and positive marketplace development.

Existing Commission independence rules contain an exception for small businesses identified as those with assets totaling less than $200 million.⁴³ However, our proposed rules contain no such exception because, regardless of the entity's size, the Act appears to view the auditor as being in a position of auditing his or her own work.

The principle that the public accounting firm would be acting in the capacity of management or as an employee and auditing its own works should be applied to all discussions surrounding internal audit outsourcing regardless of the size of the company.

• Is the definition of the "internal audit function" sufficiently clear?

There is no definition of internal auditing provided. Under Institute of Internal Auditor Standards and as widely practiced by most major companies: "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

The SEC needs to better understand what modern internal audit functions provide to their organizations. The Institute of Internal Auditors, representing over 80,000 global professionals has this information and would welcome the opportunity for consultation as they have in the past.

• We solicit comment on whether an exception should be provided for small businesses. If so, what criteria should we consider in providing such an exception?

No. The auditor is working in a management or employee capacity and it is reasonable to think that the work will come under consideration and be relied upon by the external auditor as they assess and opine on the adequacy of the internal accounting control environment and the fair presentation of financial results.

• Does it impair an auditor's independence if the auditor does not provide to the client outsourcing services related to the internal audit function of the audit client, but rather performs individual audit projects for the client?

There is no difference here. Internal audit programs/plans are a series of individual projects that have been selected based an assessment of risk or as requested by the Audit Committee or management. The public accounting firm is not independent as they functioning in a management or employee capacity and it is reasonable to think that the work will come under consideration and be relied upon by the external auditor as they assess and opine on the adequacy of the internal accounting control environment and the fair presentation of financial results.

• Are there safeguards that can be established by the auditor that would allow the audit client to outsource the internal audit function to the auditor without impairing its independence?

No. The public accounting firm is not independent as they functioning in a management or employee capacity and it is reasonable to think that the work will come under consideration and be relied upon by the external auditor as they assess and opine on the adequacy of the internal accounting control environment and the fair presentation of financial results.

• Would it impair the auditor's independence if the auditor performs only operational audits that are unrelated to the internal controls, financial systems, or financial statements?

The wording should say ...Unrelated to internal accounting controls versus internal controls, which are a much broader concept than has been adopted by the SEC. 

Yes. The auditor is working in a management or employee capacity and it is reasonable to assume that the work will come under consideration and relied upon by the external auditor as they assess and opine of the adequacy of the internal accounting control environment and the fair presentation of financial results.

Operational decisions and activities are the source data for financial results and reporting. Making the distinction between financial, operational, strategic and compliance audits is difficult for internal auditors and public accountants, let alone management and the Audit Committee. If an operational audit touched the financial statements, the public accounting firms' independence would be impaired. The firm would have to resign and the company would experience significant costs for re-audit along with potential reputation risk exposures. It would be most prudent to prohibit all internal audit outsourcing services as determining compliance by the Audit Committee is an arduous task.

• Is additional guidance necessary to distinguish the services that would be prohibited under this proposed rule from those services that would be permitted as operational audits?

The auditor cannot act as management or an employee. The auditor should be prohibited from providing any internal audit service as defined by the IIA.

6. Management Functions.

We are not proposing any significant change to our current rule on management functions. Proposed Rule 2-01(c)(4)(vi) provides that an accountant's independence is impaired with respect to an audit client for which the accountant acts, temporarily or permanently, as a director, officer, or employee of an audit client, or performs any decision-making, supervisory, or ongoing monitoring functions for the audit client. This provision is consistent with the provisions of existing Rule 2-01(c)(4)(vi).⁴⁴

We believe, however, that provided the auditor does not act as an employee or perform management functions, services in connection with the assessment of internal accounting and risk management controls as well as providing recommendations for improvements do not impair an auditor's independence.

The concept of risk management controls is introduced for the first time and not defined. The more precise wording is internal accounting and reporting risk assessment process and control.

The public accounting firm is responsible for evaluating and testing management's financial risk assessment process and controls. Where this assessment is not adequate, the public accountant should undertake a review to satisfy itself that the internal accounting controls are adequate to reasonably minimize any significant internal accounting risks identified.

Accountants must gain an understanding of their audit clients' systems of internal accounting controls when conducting an audit in accordance with generally accepted auditing standards.⁴⁵ With this insight, auditors often become involved in diagnosing, assessing, and recommending to audit committees and management, ways in which their audit client's internal (accounting) controls

Language is not precise.... Should read internal accounting controls

can be improved or strengthened.⁴⁶ These services can be extremely valuable to companies, and they may also facilitate the performance of a high quality audit. For these reasons, we are proposing to continue to allow auditors to assess the effectiveness of internal controls (internal accounting controls) and to recommend improvements in the design and implementation of internal controls (internal accounting controls) and risk management controls (internal accounting and reporting risk assessment process and controls).

• Do services related to designing or implementing internal accounting controls and risk management controls result in the auditor auditing his or her own work?

Yes. This is management's responsibility.

• Would such services impair an auditor's independence when the auditor is required to issue an opinion on the effectiveness of the (internal accounting) control systems that he or she designed or implemented?

Yes. This would impair independence.

• Do services related to assessing or recommending improvements to internal accounting controls and risk management controls result in the auditor auditing his or her own work?

This is an integral part of the existing GAAS and should be performed in order to render an opinion on the adequacy of internal accounting controls and financial systems and the fair presentation of financial results. There is no need for a separate engagement as pointed out in the SOA.

• Would such services impair an auditor's independence when the auditor is required to issue an attestation report on the effectiveness of the (internal accounting) (disclosure?) control systems that he or she has assessed or evaluated for effectiveness?

This is an integral part of the existing GAAS and should be performed in order to render an opinion on the adequacy of internal accounting controls and financial systems and the fair presentation of financial results. There is no need for a separate engagement as pointed out in the SOA.

• We request comment on whether there are circumstances under which an accounting firm can perform or assume management functions or responsibilities for an audit client without impairing independence?

There is no reason they need to. There are many firms capable of fulfilling this need that are completely independent.

7. Human Resources

It appears that the SEC and the SOA did not adequately address all "management consulting" services. There are far more significant consulting services provided by public accounting firms for their attest clients than Human Resources. These services can violate any of the four principles that have been developed for determining which non-audit services should be prohibited.

By its very nature, management consulting supplants a management activity in house. By purchasing these services from the public accountant, investors reasonably believe that they are acting in the capacity of an outsourced manager or employee; that they may advocate on behalf of their client (devising tax shelters); and that they will audit their own work (e.g. sales systems design and revenue recognition policies and procedures.)

11. Tax Services

... While we do not define "tax services," we understand that tax services can include a range of activities including the preparation of tax returns, tax compliance, tax planning, tax recovery, and other tax-related services.

These are all management functions that impair the independence of the public accountants.

As part of this process, the accounting firm and the audit committee should be mindful of the three basic principles which cause an auditor to lack independence with respect to an audit client: (1) the auditor cannot audit his or her own work, (2) the auditor cannot function as a part of management (or as an employee), and (3) the auditor cannot serve in an advocacy role for the client.⁶⁴ For example, where an accountant provides representation before a tax court the accountant serves as an advocate for his or her client and the accountant's independence would be impaired. Another example would be the formulation of tax strategies (e.g. tax shelters) designed to minimize a company's tax obligations.⁶⁵ The provision of these types of services may require the accountant to audit his or her own work, to become an advocate for the client's position on novel tax issues, or to assume a management function.

D. Audit Committee Administration of the Engagement

• Should the Commission provide additional specific guidance to assist audit committees when deliberating auditor independence issues? What topics would be helpful?

Based on the four principles that were followed in the SOA and adopted here by the SEC in this proposed regulation, virtually all non-audit services unrelated to the evaluation of internal accounting controls and financial systems and the fair presentation of financial results would be prohibited. It might be easier to provide guidance on what is allowed based on the principles than develop a detailed list of what is not allowed. This is a welcome change and the benefits far exceed any transition costs. 

3. Other Material Written Communications

• Management representation letter;⁹⁴

• Reports on observations and recommendations on internal (accounting) controls;⁹⁵

III. General Request for Comments

D. Request for Comments 

• How much cost will issuers incur from not being able to retain their preferred providers of non-audit service, when that preferred provider happens to also be their auditor?

Companies find that the cost of services decrease as in many cases this is the first time there has been a competitive bid process. There is virtually no incremental or transition costs as the new firms often provide some form of reduced fees as their investment in a new client relationship.

• What will be the impact, if any, on audit fees from the proposal to prohibit certain non-audit services?

If the public accounting firms properly followed GAAS the cost increases should be minimal. New requirements for the review of disclosure controls may increase fees somewhat. The cost of audit failures may be passed along to companies, which may increase fees. However, one would argue that over time audit quality should improve reducing the likelihood significant litigation and the need for significant fee increases.
 

TEXT OF PROPOSED AMENDMENTS

In accordance with the foregoing, Title 17, Chapter II of the Code of Federal Regulations is proposed to be amended as follows:

PART 210 -

FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940 AND ENERGY POLICY AND CONSERVATION ACT OF 1975

§ 210.2-01 Qualifications of accountants.

* * * * *

* * * * *

(4) Non-audit services. An accountant is not independent if, at any point during the audit and professional engagement period, the accountant provides the following non-audit services to an audit client:

(v) Internal audit outsourcing services. Any internal audit services related to the internal accounting controls, financial systems, or financial statements, for an audit client.

As described previously this definition is inconsistent with the principles espoused in the SOA and adopted here by the SEC.

This regulation needs to be revised to prohibit all internal audit outsourcing services.