Limited Liability Provisions in Audit Engagement Letters
by Robert Canova, Lead Financial Specialist, Supervision, Regulation, and Credit, Federal Reserve Bank of Atlanta, and Jennifer Grier, Senior Examiner, Supervision, Regulation, and Credit, Federal Reserve Bank of Atlanta
Community banks routinely engage external auditors for both audit and non-audit services, such as audits of pension plans, outsourced internal audits, or management consulting. Accounting specialists at the Federal Reserve and other regulatory agencies have noted an uptick in the use of limited liability provisions in external audit contracts (commonly referred to as “engagement letters”) that raise safety and soundness concerns. Certain clauses intended to limit the external auditor’s liability can also weaken the auditor’s impartiality, objectivity, and performance, thereby reducing the ability of banking regulators and other agencies to leverage audit work when completing bank examinations.
Supervisory Guidance and Regulations
Recently, Federal Reserve community bank examiners have noticed an increase in usage of limited liability language in engagement letters. The long-standing safety and soundness concerns with this practice were raised in a joint advisory issued by the Federal Reserve and the other financial institutions regulatory agencies1 in 2006. The advisory alert outlined in Supervision and Regulation (SR) letter 06-4, “Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters,”2 does not cover all engagement letters with outside auditors. Rather, the advisory applies only to engagement letters for audits of financial statements, audits of internal control over financial reporting, and attestations on management’s assessment of internal control over financial reporting.
The advisory alerts client financial institutions that it is unsafe and unsound3 to enter into engagement letters with provisions that: (1) indemnify the external auditor against all claims made by third parties, (2) hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution (other than claims for punitive damages), or (3) limit the remedies available to the client financial institution (other than punitive damages).
Additionally, Part 363 of the FDIC's regulations (12 CFR 363.5) states that financial institutions' audit committees have a duty to ensure that audit engagement letters, and any agreements with the independent public accountant, do not contain any “limitation of liability provisions” that indemnifies or holds harmless the accountant or limits remedies available to the financial institution.4
Accounting Guidance
Limited liability provisions are also addressed by the American Institute of Certified Public Accountants (AICPA), which sets ethical standards for the accounting profession and U.S. auditing standards for private companies, nonprofit organizations, and federal, state, and local governments. Under the “Interpretations Under the Acts Discreditable Rule” section of its Code of Professional Conduct, the AICPA states that the existence of indemnification and limitation of liability provisions in engagement letters with a regulated financial institution disqualifies an AICPA member from rendering audits to that financial institution.5
Due Diligence and Audit Committee Oversight
As outlined in SR letter 06-4, the financial institution’s board of directors, management, and audit committee should not enter into any agreement that incorporates limited liability provisions. Accordingly, a financial institution’s audit committee should review applicable supervisory guidance and regulations prior to agreeing to the terms of an audit engagement. Further, a financial institution should be able to explain to Federal Reserve supervisory staff the rationale for agreeing to any other provisions that limit the legal rights of the institution.
- 1 The advisory was issued by the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration, the Office of the Comptroller of the Currency, and the former Office of Thrift Supervision.
- 2 SR letter 06-4 is available at www.federalreserve.gov/boarddocs/srletters/2006/SR0604a1.pdf
- 3 See 12 CFR Part 208, Appendix D-1.
- 4 "The audit committee shall ensure that engagement letters and any related agreements with the IPA [independent public accountants] for services to be performed under this part do not contain any limitation of liability provisions that: (i) Indemnify the IPA against claims made by third parties; (ii) Hold harmless or release the IPA from liability for claims or potential claims that might be asserted by the client insured depository institution, other than claims for punitive damages; or, (iii) Limit the remedies available to the client insured depository institution.”
- 5 See American Institute of Certified Public Accountants Code of Professional Conduct > Part 1 – Members in Public Practice > 1.400 Acts Discreditable > Interpretations Under the Acts Discreditable Rule > 1.400.060 Indemnification and Limitation of Liability Provisions; available at https://bit.ly/3XmBPgX.