Tag: SOX

08 Mar 2011

Auditor rotation – pro and con

The practice of periodically changing, or rotating, your external auditor has been a topic of interest with our customers lately, and there are two schools of thought on this.  The pro-rotation side takes the position that a different set of eyes looking at the same system might see something the other missed.  This is certainly a valid position, and probably originated in the post-Enron/Arthur Anderson days.  In fact, Section 203 of Sarbanes-Oxley (SOX) does require audit partner rotation every 5 years for publicly held companies, but this provision only applies to the lead auditor and the auditor responsible for reviewing the audit, not the auditing firm.

Indeed in interviews conducted in 2003 by the Government Accounting Office among Fortune 1000 companies, the majority surveyed indicated that audit partner rotation (using different individuals within an audit firm) would achieve the same benefits as audit firm rotation (using different audit firms).

Changing auditor firms can also be somewhat disruptive, as the new firm must get up to speed on the particularities of the institution’s control environment.   There is evidence that maintaining the same auditor may actually improve the quality of subsequent audits, as the auditor’s store of institutional knowledge increases.  Additionally, changing auditors too frequently may cause the appearance of “auditor shopping”, or shopping around for better results.

For their part, the FFIEC is silent on the practice of auditor rotation, stating only that:

“…management should ensure that there are no conflicts of interest and that the use of these (external auditor) services does not compromise independence”

Bank examiners are instructed to assess “whether the structure, scope, and management of an internal audit outsourcing (or external audit) arrangement adequately evaluate the institution’s system of internal controls“.  In other words, are they doing what they are supposed to do?

In the end analysis, in the absence of a regulatory mandate there is really only one overriding concern for financial institutions…are your examination results satisfactory? If so, and if there are no conflicts of interest or other independence concerns, there is really no compelling reason to change auditing firms…but periodically using a different set of eyes is definitely a good idea.

04 Nov 2010

Archiving vs. retention of email and other electronic data

There is no specific FFIEC regulatory mandate for archiving, just retention1.  However, there are three reasons why you might want to consider archiving, which I will address shortly.  First though, the issue of retention.  The key to complying with legal and regulatory guidelines regarding retention is to consider all electronic information (including email) exactly the same as paper documents for the purposes of retention and destruction in your policies and procedures.  Make sure your retention periods are the same regardless of the physical or electronic nature of the information.  Of course if you’re archiving email, the challenge is in being able to separate the financial emails, from the loan documentation emails, from the customer communication emails, from the jokes.  All could have different (or non-existent) retention requirements, but there is no technology available to automatically classify each message by data type.  Lacking that, most banks simply opt to archive all email communication regardless of the nature of the message.  Simply put, there are 3 potential approaches to data retention:  Save everything, save selectively, and save nothing.  Given the current technical limitations, the least risky of the 3 is to save everything.

Now, retention vs. archiving: Think of an archive as a non-alterable backup.  Some archive solutions also add a search feature, but the key is that the data cannot be deleted or modified in any way.  So why consider archiving instead of simple retention?  Three reasons:

First, a public company is subject to SOX regulation as well as GLBA.  SOX is much more stringent in its retention requirements in the sense that the data must not only be retained, but the Bank must reasonably assure the integrity (non-alterability) and availability (search ability) of the data as well.  This can be done in several ways, but archiving is the most common.

Second, does your institution still have TARP funds?  If so, there could be retention implications in 3 areas:

•             Accountability and transparency mandates

•             Specific or implied record-keeping requirements

•             Heightened public scrutiny

Taken in order, the accountability and transparency mandates were established via the Recovery Accountability and Transparency Board, which will coordinate and conduct oversight of recovery spending to ensure taxpayer dollars are not wasted, abused, or used fraudulently.  The over-arching record requirement of this act is the broad, discretionary powers given to the inspectors general to review and examine any records related to covered funds as cited in Sec. 1515 of the act.  Again, archiving is not required, but it is the best solution to assure data integrity and availability.

Third, the Federal Rules for Civil Procedures, which govern the conduct of all civil actions brought in Federal district courts (and most state courts), require the disclosure of any “electronically stored information” during the discovery process.  The only exception to this is if the “electronically stored information is lost as a result of the routine, good-faith operation of an electronic information system”,  OR if the data were destroyed in accordance with the institutions’ reasonable and customary data retention and destruction policy.

1The Operations Handbook mentions data retention only with regard to digital imaging systems.  The Handbook was written in 2004, when electronic documents were much less ubiquitous.