How Independent is your BSA Auditor?
Federal regulatory agencies require that the domestic financial institutions they supervise develop written BSA compliance programs that are approved by their respective board of directors and noted in the minutes. One of the minimum requirements of the BSA/AML compliance program is “independent testing”.
What is Independent Testing?
Generally speaking, independent testing can be defined as the process where an organization, person or company examines or tests products, materials or services according to previously agreed requirements. The testing is independent in the sense that the tester is not affiliated with the maker or the user of the product or service being tested.
Independent testing can have a variety of purposes like (a) identifying potential cost savings in products or services; (b) solving problems with current products or services; (c) determining if, or verifying that, the requirements of a specification, regulation, or contract are met; (d) providing evidence in legal proceedings; (e) deciding if new products or changes to existing processes are on target; (f) providing data for comparison of several alternatives; and (g) providing standard data for other quality assurance functions.
Established BSA guidance indicates that the required independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. Financial institutions that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested.
But how do you determine if the party is “independent”?
Auditor Independence Origins
A look at the history of the concept of “independence” for auditors shows changes in the meaning according to the historical context and political and economic conditions.
The concept of auditor independence, as we currently know it, originated in the 1930s when Congress was dealing with the aftermath of the market crash of 1929 and the resulting Great Depression. The idea at the time was that publicly traded companies may “cook” their books in order to provide favorable financial statements to the investing public if left alone to prepare their own financial reports. After pressure from the public and the accounting profession, Congress enacted the Securities Act of 1933 and the Securities Exchange Act of 1934 and accepted the accountants’ position that they were the best professional group to serve as an independent third party to review these (financial) statements, along with the company’s books, and to assess the accuracy of the financial statements. Accountants had traditionally provided a similar function to business owners and based their reputation on scrupulous objectivity and integrity. Consequently, Congress established requirements that companies that offer to sell their securities to the general public must have their financial statements certified by an independent public accountant upon the original offering of the securities and annually thereafter. This independent verification of financial statements of public companies was the start of the “independent” auditor business.
Congress intention was that accountants performing these “independent” reviews should be acting as a watchdog for the public interest. However, over time, and as we have experienced with recent corporate failures, auditors’ objectivity and independence are potentially compromised simply by accepting the audit engagement as the parties under scrutiny are the same ones that are paying the auditors their fees.
Types of Independence
There are three main ways in which the auditor’s independence can manifest itself: (a) design independence; (b) investigative independence; and (c) reporting independence.
Design independence essentially safeguards the auditor’s ability to select the most appropriate strategy when conducting an audit. Auditors must be free to approach their work in whatever manner they consider best. As a client company grows and conducts new activities, the auditor’s approach will likely have to adapt to account for these. In addition, the auditing profession is a dynamic one, with new techniques constantly being developed and upgraded which the auditor may decide to use. The strategy/proposed methods which the auditor intends to implement cannot be inhibited in any way.
While design independence protects auditors’ ability to select appropriate strategies, investigative independence protects the auditor’s ability to implement the strategies in whatever manner they consider necessary. Basically, auditors must have unlimited access to all bank information. Any queries regarding the bank’s business and operational processes must be answered by the bank. The collection of audit evidence is an essential process, and cannot be restricted in any way by the client bank.
Reporting independence protects the auditor’s ability to choose to reveal to the examiners and other reporting bodies (like the Audit Committee) any information they believe should be disclosed. If bank management has been misleading directors by falsifying compliance information, they will strive to prevent the auditors from reporting this. It is in situations like this when auditor independence is most likely to be compromised.
Real Independence and Perceived Independence
There are two important aspects to independence which must be distinguished from each other: independence in fact (real independence) and independence in appearance (perceived independence). Together, both forms are essential to achieve the goals of independence. Real independence refers to independence of the auditor, also known as independence of mind. More specifically, real independence concerns the state of mind an auditor is in, and how the auditor acts in/deals with a specific situation. An auditor who is independent ‘in fact’ has the ability to make independent decisions even if there is a perceived lack of independence present, or if the auditor is placed in a compromising position by bank directors. Many difficulties lie in determining whether an auditor is truly independent, since it is impossible to observe and measure a person’s mental attitude and personal integrity. Similarly, an auditor’s objectivity must be beyond question, but how can this be guaranteed and measured? This is why perceived independence is of such importance.
It is essential that the auditor not only acts independently, but appears independent too. If an auditor is in fact independent, but one or more factors suggest otherwise, this could potentially lead the ultimate users of the audit reports (like examiners) to conclude that the audit report does not represent a true and fair view.
Relationship with the Client
An auditor earns a living from the fee he is paid. It is therefore automatic that he does not want to do anything to jeopardize this income. This reliance on clients’ fees may affect the independence of an auditor. If the auditor feels this client income is more important than their responsibilities to stakeholders he may not perform the audit with the stakeholders’ interests in mind. The larger the fee income the more likely the auditor is to avoid his responsibilities and perform the audit without independence. This could lead to the manipulation of findings. To encourage auditors to maintain their independence they must be protected from the director’s board. If they were able to challenge statements and figures without the risk of losing their job they would be more likely to work with complete independence. Ultimately, an auditor will never be able to have complete economic independence as long as the client determines audit appointments and fees.
In most cases it is the directors that negotiate an audit contract with the auditors. This may cause problems. Audit firms on occasions quote low prices to directors to ensure repeat business, or to get new clients. By doing so the firm may not be able to perform the audit fully as they do not have enough income to pay for a thorough investigation. Cutting corners could mean the audit team would be reporting without all the evidence required which will affect the quality of the report. This would bring into question their independence.
It is also common for the audit firm of a bank to provide extra services as well as performing the audit. Helping a bank reduce its tax charges or acting as a consultant for the implementation of a new computer system, are common examples. Having this additional working relationship with the client would result in questions being asked by third parties (like examiners or shareholders) as to the independence of the audit firm. If non-audit fees are substantial in relation to the audit fees, suspicions will arise that auditing standards may be compromised. The firm would no longer be unbiased, as it would want the bank to perform well so it can continue to earn the additional fee for other services. This would mean the audit firm would be dependent on the bank’s business and they would no longer be working with independence.
Except under limited circumstances, auditors should be independent from an audited entity during (a) any period of time that falls within the period covered by the subject matter of the audit; and (b) the period of the professional engagement, which begins when the auditors either sign an initial engagement letter or other agreement to perform an audit or begin to perform an audit, whichever is earlier. The period lasts for the entire duration of the professional relationship (which, for recurring audits, could cover many periods) and ends with the formal or informal notification, either by the auditors or the audited entity, of the termination of the professional relationship or by the issuance of a report, whichever is later. Accordingly, the period of professional engagement does not necessarily end with the issuance of a report and recommence with the beginning of the following year’s audit or a subsequent audit with a similar objective.
Threats to Independence
Many different circumstances, or combinations of circumstances, are relevant in evaluating threats to independence. Threats to independence are circumstances that could impair the auditor’s independence. Whether independence is impaired depends on the nature of the threat, whether the threat is of such significance that it would compromise an auditor’s professional judgment or create the appearance that the auditor’s professional judgment may be compromised, and on the specific safeguards applied to eliminate the threat or reduce it to an acceptable level. Threats are conditions to be evaluated and do not necessarily impair independence.
Threats to independence may be created by an assortment of relationships and circumstances. The following broad categories of threats to independence should be assessed when threats are being identified and evaluated:
Self-interest threat – the threat that a financial or other interest will inappropriately influence an auditor’s judgment or behavior;
Self-review threat – the threat that an auditor that has provided non-audit services will not appropriately evaluate the results of previous judgments made or services performed as part of the non-audit services when forming a judgment significant to an audit;
Bias threat – the threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective;
Familiarity threat – the threat that aspects of a relationship with management or personnel of the bank, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective;
Undue influence threat – the threat that external influences or pressures will impact an auditor’s ability to make independent and objective judgments; and
Management participation threat – the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit.
There are some safeguards designed to eliminate or reduce to an acceptable level the threats to an auditor’s independence. The auditor should apply the safeguards that address the specific facts and circumstances under which threats to independence exist. In some cases, multiple safeguards may be necessary to address a threat. The following list of safeguards provides examples that may be effective under certain circumstances. The list cannot provide safeguards for all circumstances. It may, however, provide a starting point for auditors who have identified threats to independence and are considering what safeguards could eliminate those threats or reduce them to an acceptable level.
Examples of safeguards include:
consulting an independent third party, such as a professional organization, a professional regulatory body, or another auditor;
involving another auditor or audit firm to perform or re-perform part of the audit;
having a professional staff member who was not a member of the audit team review the work performed;
removing an individual from an audit team when that individual’s financial or other interests or relationships pose a threat to independence; and
not accepting or leaving an audit engagement.
In the BSA audit context, the BSA/AML Examination Manual provides some safeguards that should be implemented by the bank in its compliance policies:
conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank;
persons performing the independent testing must not be involved in any part of the bank’s BSA/AML compliance program (for example, developing policies and procedures or conducting training); and
persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.
Depending on the nature of the audit, an auditor may also be able to place limited reliance on safeguards that the bank has implemented. It is not possible to rely solely on such safeguards to eliminate threats or reduce them to an acceptable level.
Examples of safeguards within the bank’s systems and procedures include:
a requirement that persons other than management ratify or approve the appointment of an auditor to perform an audit;
internal procedures at the bank that ensure objective choices in contracting non-audit services; and
a governance structure at the bank that provides appropriate oversight and communications regarding the auditor’s services.
Auditors should evaluate threats both individually and in the aggregate because threats can have a cumulative effect on an auditor’s independence.
Facts and circumstances that create threats to independence can result from events such as the start of a new audit; assignment of new staff to an ongoing audit; and acceptance of a non-audit service at an audited entity. Many other events can result in threats to independence. Auditors should use professional judgment to determine whether the facts and circumstances created by an event warrant further analysis. Whenever relevant new information about a threat to independence comes to the attention of the auditor during the audit, the auditor should evaluate the significance of the threat and determine if additional action is necessary.
When an auditor identifies threats to independence and, based on an evaluation of those threats, determines that they are not at an acceptable level, the auditor should determine whether appropriate safeguards are available and can be applied to eliminate the threats or reduce them to an acceptable level. The auditor should exercise professional judgment in making that determination, and should take into account whether both independence of mind and independence in appearance are maintained. The auditor should evaluate both qualitative and quantitative factors when determining the significance of a threat.
In cases where threats to independence are not at an acceptable level, thereby requiring the application of safeguards, the auditors should document the threats identified and the safeguards applied to eliminate the threats or reduce them to an acceptable level.
Certain conditions may lead to threats that are so significant that they cannot be eliminated or reduced to an acceptable level through the application of safeguards, resulting in impaired independence. Under such conditions, auditors should decline to perform a prospective audit or terminate an audit in progress.
Independence generally is referred to a mental state of objectivity and lack of bias. Independence requires integrity and an objective approach to the audit process. The concept requires the auditor to carry out his or her work without obstructions and in an objective manner. Independence of the auditor also means freedom from parties whose interests might be harmed by the results of an audit. The auditor should be free of “pressure” from the auditee and/or management to achieve a specific result or opinion. The auditor should be at liberty to report his or her findings, whether the results are positive or adverse to the audited party.
Maintaining objectivity includes a continuing assessment of relationships with audited entities and other stakeholders in the context of the auditors’ responsibility to the bank and other interested parties. The concepts of objectivity and independence are closely related as independence impairments impact objectivity.
While the frequency of BSA/AML audits is not specifically defined in any statute, a sound practice for the bank is to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. This guidance also raises the concern of determining if the bank should retain the same auditor over the years versus rotating auditors after a specified period or under certain circumstances. The bank policies should indicate the basis for auditor’s selection and retention.
One of the benefits that can be generated in cases where the bank requires a rotation on the auditors used for the BSA/AML audits is reflected in the auditor’s increased motivation to resist pressure from management since the tenure of the independent auditor is already limited in these cases. It is argued that an incumbent auditor has less incentive to collude with their client if the firm’s contract expires in the foreseeable future or that auditors are less likely to forge conflicting relationships with client personnel. Further, because current auditors will know they are soon to be replaced, they will be inclined to produce audit reports which demonstrate high standards and are an exemplar of true independence, and avoid having any shortcomings exposed by the new audit team. Another benefit from rotations is that a new independent auditor will bring a fresh viewpoint to the audit and may be an improvement to the bank’s compliance status.
Some disadvantages on requiring auditors’ rotation include (a) increased costs; (b) steep learning curve for the new auditing firm which might lead to an “audit failure”; and (c) too much disruption for the auditing firms and bank operations. These costs need to be weighed against the threat of impaired independence. Lobbying by accounting firms and their clients have turned down regulatory proposals to require auditor rotations by stressing that it is vitally important that auditors familiarize themselves with client operations in order to conduct a successful audit.
The bank should determine, according to its BSA/AML risk profile, if auditor rotation is one of the safeguards to be implemented to enhance audit independence. In the United States, Section 203 of the Sarbanes-Oxley Act requires registered public accounting firms to rotate (1) the partner having primary responsibility for the (financial) audit and (2) the partner responsible for reviewing the (financial) audit every five years. The audit committee must ensure that the requisite rotation actually takes place. The main purpose of audit partner rotation is to bring a “fresh look” to the audit engagement while maintaining firm continuity and overall audit quality. Despite mandatory audit partner rotation being required in the U.S. for over 35 years, to-date there has been limited empirical evidence speaking to the effectiveness of U.S. auditor partner rotations given that audit partner information is not disclosed in U.S. audit reports. Overall, some studies findings suggest that audit partner rotation supports auditor independence and is an important component of quality control for U.S. accounting firms.
As a matter of corporate governance, a bank should consider rotating BSA/AML audit firms periodically to get the benefit of a fresh set of eyes. Some corporate governance experts recommend doing so at least every five to ten years. In addition, governance experts recommend rotating audit firms if a substantial number of former company employees have gone to work for the audit firm or vice-versa.
Some regulators have promoted that in order for an auditor to remain strictly independent they should not be allowed to provide audit clients with any other advisory services. This idea was detailed in the European Commission’s Eighth Directive and was designed to remove conflicts of interest arising from audit companies having a high percentage of total revenue staked in the contract of one client. To date this has not been made a requirement. Both auditors and their clients have argued that the knowledge acquired during the audit process can allow other services to be provided less expensively.
The end result of the BSA independent testing is to provide written reasonable assurance from an independent source that the bank is complying with the BSA requirements. This objective will not be met if users of the audit report believe that the auditor may have been influenced by other parties, more specifically managers/directors or by conflicting interests (e.g. if the auditor owns shares in the bank to be audited or has a family member in the board of directors or employed by the bank). In addition to technical competence, auditor independence is the most important factor in establishing the credibility of the audit opinion.