Jim Hamilton’s World of Securities Regulation

Sunday, May 27, 2007

Audit Committee Must Pre-Approve Non-Audit Internal Control Services

As part of the massive internal control reforms, the PCAOB adopted a rule requiring the auditor to obtain pre-approval from the audit committee for the performance of any non-audit internal control services. The Sarbanes-Oxley Act requires audit committee pre-approval of all non-audit services that the auditor proposes to perform for the client company.

Rule 3525 implements this pre-approval requirement by requiring auditors to
take certain steps as part of seeking audit committee pre-approval of internal control related non-audit services. These steps are intended to ensure that audit committees are provided the information they need to make an informed decision on how the performance of internal control-related services may affect the auditor’s independence. The rule must still be approved by the SEC.

Specifically, the auditor seeking pre-approval to perform non-audit internal control services would have to:

• Describe, in writing, to the audit committee the scope of the proposed
service;
• Discuss with the audit committee the potential effects of the proposed
service on the firm's independence; and
• Document the substance of the firm's discussion with the audit committee.

These requirements parallel the auditor's responsibility in seeking audit committee pre-approval to perform tax services for an audit client under PCAOB Rule 3524 and are codified, like that rule, as part of the Board's rules on ethics and independence.

Consistent with the tax service pre-approval rule, Rule 3525 does not specify that the pre-approval must be specific. Instead, the rule is neutral as to whether an audit committee pre-approves a non-audit service on an ad hoc basis or on the basis of policies and procedures.

Many companies have adopted policies providing for pre-approval in annual audit committee meetings. And the Board understands that such an annual planning process can include as robust a presentation to the audit committee as a case-by-case pre-approval process. Thus, Rule 3525 is flexible enough to accommodate either system and encourages auditors and audit committees to develop systems tailored to the needs and attributes of the company.

A Note to Rule 3525 explains the general standard of auditor independence, and that application of this standard is guided by several principles, including whether auditors assume a management role or audit their own work. The Note further specifies, as an example of the standard’s application, that an auditor would not be independent if management had delegated its duty for internal control to the auditor or if the auditor had designed or implemented the audit client's internal controls.