Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters, 6847-6855 [06-1189]

Agencies

• FEDERAL DEPOSIT INSURANCE CORPORATION
• FEDERAL RESERVE SYSTEM
• National Credit Union Administration
• Office of the Comptroller of the Currency
• DEPARTMENT OF THE TREASURY
• Office of Thrift Supervision
• Comptroller of the Currency

[Federal Register Volume 71, Number 27 (Thursday, February 9, 2006)]
[Notices]
[Pages 6847-6855]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-1189]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

FEDERAL RESERVE SYSTEM

FEDERAL DEPOSIT INSURANCE CORPORATION

NATIONAL CREDIT UNION ADMINISTRATION

[No. 2006-04]

Office of the Comptroller of the Currency

Office of Thrift Supervision


Interagency Advisory on the Unsafe and Unsound Use of Limitation 
of Liability Provisions in External Audit Engagement Letters

AGENCIES: Office of Thrift Supervision (OTS), Treasury; Board of 
Governors of the Federal Reserve System (Board); Federal Deposit 
Insurance Corporation (FDIC); National Credit Union Administration 
(NCUA); Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Issuance of Interagency Advisory.

-----------------------------------------------------------------------

SUMMARY: The OTS, Board, FDIC, NCUA, and OCC (collectively, the 
``Agencies''), have finalized the Interagency Advisory on the Unsafe 
and Unsound Use of Limitation of Liability Provisions in External Audit 
Engagement Letters (``Advisory''). The Advisory informs financial 
institutions'' boards of directors, audit committees, and management 
that they should not enter into agreements that incorporate unsafe and 
unsound external auditor limitation of liability provisions with 
respect to engagements for financial statement audits, audits of 
internal control over financial reporting, and attestations on 
management's assessment of internal control over financial reporting.

DATES: Effective Date: The Advisory is effective for engagement letters 
executed on or after February 9, 2006.

FOR FURTHER INFORMATION CONTACT: OTS: Jeffrey J. Geer, Chief 
Accountant, at jeffrey.geer@ots.treas.gov or (202) 906-6363; or 
Patricia Hildebrand, Senior Policy Accountant, at 
patricia.hildebrand@ots.treas.gov or (202) 906-7048.
    Board: Terrill Garrison, Supervisory Financial Analyst, at 
terrill.garrison@frb.gov or (202) 452-2712; or Nina A. Nichols, 
Assistant Director, at nina.nichols@frb.gov or (202) 452-2961.
    FDIC: Harrison E. Greene, Jr., Senior Policy Analyst (Bank 
Accounting), Division of Supervision and Consumer Protection, at 
hgreene@fdic.gov or (202) 898-8905; or Michelle Borzillo, Counsel, 
Supervision and Legislation Section, Legal Division, at 
mborzillo@fdic.gov or (202) 898-7400.
    NCUA: Karen Kelbly, Chief Accountant, at kelblyk@ncua.gov or (703) 
518-6389; or Steven Widerman, Trial Attorney, Office of General 
Counsel, at widerman@ncua.gov or (703) 518-6557.
    OCC: Zane Blackburn, Chief Accountant, at 
zane.blackburn@occ.treas.gov or (202) 874-4944; or Kathy Murphy, Deputy 
Chief Accountant, at kathy.murphy@occ.treas.gov or (202) 874-5675.

SUPPLEMENTARY INFORMATION:

I. Background

    The Agencies have observed an increase in the types and frequency 
of provisions in financial institutions' external audit engagement 
letters that limit the auditors' liability. These provisions take many 
forms, but can generally be categorized as an agreement by a financial 
institution that is a client of an external auditor to:
     Indemnify the external auditor against claims made by 
third parties;
     Hold harmless or release the external auditor from 
liability for claims or potential claims that might be asserted by the 
client financial institution; or
     Limit the remedies available to the client financial 
institution.
    Reliable financial and regulatory reporting supports the Agencies' 
risk-focused supervision of financial institutions by contributing to 
effective pre-examination planning and off-site monitoring and 
appropriate assessments of an institution's internal control over 
financial reporting, capital adequacy, financial condition, and 
performance. Audits play a valuable role in ensuring the reliability of 
institutions' financial information.
    The Agencies believe that when financial institutions agree to 
limit their external auditors' liability, either in provisions in 
engagement letters or in provisions that accompany alternative dispute 
resolution (ADR) agreements, such provisions may weaken the external 
auditors' objectivity, impartiality, and performance. The inclusion of 
such provisions in financial institutions' external audit engagement 
letters may reduce the reliability of audits and therefore raises 
safety and soundness concerns.
    On May 10, 2005, the Federal Financial Institutions Examinations 
Council (FFIEC) on behalf of the Agencies published in the Federal 
Register a proposed Interagency Advisory on the Unsafe and Unsound Use 
of Limitation of Liability Provisions and Certain Alternative Dispute 
Resolution Provisions in External Audit Engagement Letters (70 FR 
24576) and sought comments to fully understand the effect of the 
proposed Advisory on financial institutions.

II. Scope of Advisory

    The Advisory applies to engagement letters between financial 
institutions and external auditors with respect to financial statement 
audits, audits of internal control over financial reporting, and 
attestations on management's assessment of internal control over 
financial reporting (collectively, ``Audit'' or ``Audits''). The 
Advisory does not apply to:
     Non-audit services that may be performed by financial 
institutions' external auditors;
     Audits of financial institutions' 401K plans, pension 
plans, and other similar audits;
     Services performed by accountants who are not engaged to 
perform financial institutions' Audits (e.g., outsourced internal 
audits, loan reviews); and
     Other service providers (e.g., software consultants, legal 
advisors).
    The Advisory applies to all Audits of financial institutions, 
regardless of whether an institution is a public or a non-public 
company, including Audits required under Section 36 of the Federal 
Deposit Insurance Act, OTS regulations, or Section 202 of the Federal 
Credit Union Act, Audits required by any of the Agencies, and voluntary 
Audits.

[[Page 6848]]

III. Summary of Comments

Overview

    The Agencies received 44 comment letters from auditors, financial 
institutions, trade organizations, attorneys, arbitration associations, 
and other interested parties. While public comments were requested on 
all aspects of the Advisory, the Agencies specifically sought comments 
on seven questions. Less than one third of all commenters addressed all 
seven questions.
    Most financial institutions and industry trade groups supported the 
proposed Advisory and commended the Agencies' efforts. A number of the 
commenters explained that limitation of liability provisions in audit 
engagement letters originate with external auditing firms rather than 
financial institutions.
    Most of the letters from external auditors opposed the proposal. 
External auditors explained that limitation of liability provisions are 
risk management tools commonly used in audit engagement pricing as well 
as in other business transactions. They asserted that such provisions 
allocate risk and facilitate a timely and cost effective means to 
resolve disputes while minimizing litigation expenses. Further, 
auditors stated that they should not be liable for losses resulting 
from knowing misrepresentations by the client's management.
    A number of commenters asked for clarification on the scope of the 
Advisory and on the application of the Advisory to ADR agreements 
(e.g., arbitration) and waivers of jury trials. The Agencies have 
addressed these comments in the Advisory.
    A number of commenters stated that the U.S. Securities and Exchange 
Commission (SEC), the Public Company Accounting Oversight Board 
(PCAOB), and the American Institute of Certified Public Accountants 
(AICPA) have established auditor independence rules and requirements; 
therefore, they asserted, the Advisory is not needed. Other commenters 
expressed a need for the SEC, PCAOB, and AICPA to clarify their 
guidance. On September 15, 2005, the AICPA published for comment its 
proposed interpretation of its auditor independence standards. In that 
proposal, the AICPA specifically identified limitation of liability 
provisions that impair auditor independence under its standards. Most 
of the provisions cited as unsafe and unsound in the Agencies' Advisory 
were also deemed to impair independence in the AICPA's proposed 
interpretation.

Comments

A. Application to Non-public Companies
    A number of commenters expressed concern that the Agencies were 
applying SEC and PCAOB auditor independence rules to Audits of non-
public companies. The Agencies' audit rules for financial institutions 
generally reference both the AICPA and SEC auditor independence 
standards and already apply to many non-public institutions. Therefore, 
the concept of applying SEC auditor independence standards to non-
public financial institutions is in place under existing bank and 
thrift audit regulations and is not the result of the issuance of the 
Advisory. Since safety and soundness concerns apply equally to all 
institutions' Audits, the Advisory does not establish different 
requirements for public and non-public financial institutions.
B. Risk Management and Business Practices
    Auditors asserted that to the extent the Advisory would limit an 
auditor's ability to use risk allocation tools such as: (1) Capping 
damages; (2) restricting the time period to file a claim; (3) 
restricting the transfer or assignment of legal rights by an audit 
client; or (4) otherwise limiting the allocation of risk between 
contracting parties, the Advisory would result in auditors assuming 
more risk, which would lead to economic costs with no countervailing 
showing of benefits, such as improved audits.
    Auditors further stated that the Advisory largely ignores the 
interest that financial institutions have in obtaining professional and 
independent audit services within a framework of allocated risk. 
Further, auditors stated that the Advisory attempts to use safety and 
soundness as a means for setting auditor independence standards and 
limits the use of accepted business practices to manage disputes. In 
addition, the auditors and some financial institutions expressed 
concerns that the Advisory may result in an increase in costs and be a 
disincentive for financial institutions to continue to engage an 
auditor when not required to do so.
    The Agencies continue to believe that certain limitation of 
liability provisions reduce the auditor's accountability and thus may 
weaken the auditor's objectivity, impartiality, and performance. In the 
Agencies' judgment, concerns about potential increased costs or 
restrictions on the ability of the parties to an audit engagement 
letter to allocate risk do not outweigh the need to protect financial 
institutions from the safety and soundness concerns posed by such 
limitation of liability provisions. Furthermore, any disincentive for 
financial institutions to obtain Audits when not required should be 
limited because Audits represent best practices and are strongly 
encouraged by the Agencies.
    In addition, these limitations on external auditor liability may 
not be consistent with the auditor independence standards of the SEC, 
PCAOB, and AICPA. All financial institution Audits must comply with the 
independence standards set by one or more of these standard-setters.
C. Management's Knowing Misrepresentations
    Many auditors asserted that the information provided to outside 
auditors is management's responsibility and that audit firms should not 
be liable unless fraudulent behavior or willful misconduct exists on 
the part of the auditor. Further, if management knowingly misrepresents 
significant facts to the external auditor, it is sometimes impossible 
for the auditor to uncover the true facts of a situation. The auditors 
asserted that they should be allowed to limit their liability when 
knowing misrepresentations of management contribute to the loss.
    Those commenters further stated that indemnification for 
management's knowing misrepresentations communicates a commitment that 
financial institution management and its governing board understand 
their responsibilities to perform honestly and legally. These 
commenters rejected the assertion that indemnifying auditors for 
management's knowing misrepresentations might cause an auditor to lose 
independence or to perform a less responsible audit. They also stated 
that protections that the client may provide against the client's own 
knowing misrepresentations do not preclude third parties from suing the 
auditor.
    Nevertheless, a clause that would release, indemnify, or hold an 
external auditor harmless from any liability resulting from knowing 
misrepresentations by management is inappropriate under the SEC's 
existing guidance on auditor independence (see Appendix B of the 
Advisory). The inclusion in external audit engagement letters of 
limitation of liability provisions that are prohibited by the auditor 
independence rules and interpretations of the SEC, PCAOB, or AICPA is 
considered an unsafe and unsound practice for financial

[[Page 6849]]

institutions. Provisions not clearly addressed by authoritative 
guidance may also raise safety and soundness concerns when there is a 
potential impairment of the external auditors' independence, 
objectivity, impartiality, or performance.
    The AICPA's Professional Standards, AU Section 110: 
Responsibilities and Functions of the Independent Auditor state: ``The 
auditor has a responsibility to plan and perform the audit to obtain 
reasonable assurance about whether the financial statements are free of 
material misstatement, whether caused by error or fraud.'' The Agencies 
believe that including an indemnification or limitation of liability 
provision for the client's knowing misrepresentations, willful 
misconduct, or fraudulent behavior in an Audit engagement letter may 
not be viewed as consistent with the auditor's duty and obligation to 
comply with auditing standards.
    The Agencies acknowledge that management bears the responsibility 
for its conduct and representations. Nevertheless, the auditor has a 
responsibility to obtain reasonable assurance that the financial 
statements are free from material misstatements, including 
misstatements caused by management fraud. A limitation of liability 
provision in external Audit engagement letters for management's knowing 
misrepresentations, willful misconduct, or fraudulent behavior could 
act to reduce the auditor's professional skepticism. Limited liability 
could lead to inadvertent consequences such as an auditor not fully 
considering the possibility that management fraud exists. This might 
result in less robust challenges to and over-reliance on management's 
representations rather than performance of appropriate audit procedures 
to corroborate them.
    The Agencies believe that the auditor's potential liability related 
to material misstatements due to management's misrepresentations should 
be decided by a trier of fact in a legal or other proceeding and should 
not be predetermined in the engagement letter. The trier of fact would 
take into account whether the Audit was properly conducted in 
accordance with applicable auditing standards.
D. Auditor Independence and Performance Standards
    Many auditors contended that various limitation of liability 
provisions addressed in the proposed Advisory would not impair their 
independence. For example, a large accounting firm stated, ``* * * the 
Proposal goes far beyond the independence standards established by the 
SEC, PCAOB, and AICPA.'' Another large accounting firm stated, ``Of the 
specific contractual terms identified for criticism in the proposal, 
some are already prohibited by the SEC for those entities subject to 
SEC regulation. Other contractual terms, however, are fully permissible 
and widely in use as tools to allocate risk.''
    In contrast, other commenters contended that all of the provisions 
in the proposal impair an auditor's independence. This view was most 
clearly expressed in the comment letter from an independent proxy and 
financial research firm, which stated, ``We believe audit engagement 
letters containing liability limitations impair the auditor's 
independence and reduce audit quality to an unacceptable level.'' They 
further stated, ``We believe it is inappropriate for an audit contract 
between a company and its auditor to limit the auditor's liability 
including (1) Any limitations on rights to trial, (2) limits on 
compensatory or punitive damages, or (3) limits on discovery, including 
in arbitration.''
    A number of commenters discussed the auditor's requirement to 
comply with auditing standards and stated that the failure to comply 
with such standards would result in the violation of the requirements 
of the SEC, PCAOB, AICPA, and/or state licensing authorities. Some 
commenters stated that adherence to professional auditing standards is 
further assured by periodic peer reviews and by PCAOB inspections. 
Commenters noted that auditors are subject to possible disciplinary 
action by state boards of accountancy, the SEC, the PCAOB, and the 
AICPA. These commenters concluded that the auditor's performance is 
controlled by professional standards and is not influenced by 
provisions in audit engagement letters that limit the auditor's 
liability. Consequently, they believed that the Advisory is 
unnecessary.
    The Agencies' observations lead them to conclude otherwise. Their 
concern is that limitation of liability provisions may adversely impact 
the reliability of Audits whether related to disincentives for auditor 
performance or impairment of auditor independence in fact or 
appearance. The Agencies have not attempted to categorize limitation of 
liability provisions that adversely affect safety and soundness as 
either matters of performance or independence.
    The Agencies acknowledge that the SEC, PCAOB, and AICPA set 
independence and performance standards for auditors. The Advisory does 
not purport to affect those standards. Regardless of whether limitation 
of liability provisions are permissible under auditor independence 
standards, the Agencies have a separate obligation to evaluate their 
impact on the safety and soundness of financial institutions.
    Some commenters questioned whether the Agencies have adequate 
evidence that limitation of liability provisions adversely affect 
auditor independence, objectivity, and performance. The Agencies 
acknowledge that it is inherently difficult to prove links from 
circumstances to states of mind and from there to performance. 
Nevertheless, the Agencies cannot wait for proof of harm before 
establishing guidance to ensure the safety and soundness of financial 
institutions. The Agencies must make judgments about circumstances that 
may render Audits less reliable. The Agencies' concern with the 
potential impact of such provisions is not only that an auditor might 
intentionally act less than appropriately, but might unconsciously do 
so.
    A reasonable person may believe that limitation of liability 
provisions create circumstances that may adversely affect Audit 
reliability. For example, a reasonable person may conclude that if the 
auditor faces less potential liability for the Audit, the auditor may 
be less thorough. Further, that knowledge may erode the auditor's 
independence of mind.
    The Agencies observe that the SEC has addressed limitations of 
liability in its independence rulings for more than 50 years. The AICPA 
also addresses limitations of liability in its independence standards 
and related interpretations. Additionally, many commenters stated that 
limitations of liability impair an auditor's independence.
    Auditors, in their comments, expressed inconsistent interpretations 
of the meaning and scope of the SEC, PCAOB, and AICPA auditing 
standards relating to limitations of liability. The Agencies have 
concluded that supervisory guidance in addition to the existing 
auditing standards is necessary to carry out their safety and soundness 
mandate. Because the Agencies rely on Audits to help ensure the safety 
and soundness of financial institutions, they are necessarily concerned 
with provisions that could affect the auditor's judgment and 
professional skepticism. Thus, the Agencies have concluded that since 
the limitation of liability provisions may adversely affect Audit 
reliability, such provisions are considered unsafe and unsound.

[[Page 6850]]

E. Waivers of Punitive Damages
    The comment letters included much discussion on punitive damage 
waivers. Some commenters stated that the Advisory should not prohibit 
these waivers. The AICPA's comment letter typified the views of the 
commenters advocating punitive damage waivers. The AICPA asserted, ``* 
* * limiting an auditor's liability to the client for punitive damage 
claims will not impair independence or objectivity, provided the 
auditor remains liable for actual damages--that is, the auditor remains 
exposed to clients, and also to lenders, shareholders, and other non-
clients, for damages for any actual harm caused.'' Others noted that a 
waiver of punitive damages by the client has no bearing on punitive 
damages that may be sought by a third party. Several commenters stated 
that a financial institution's agreement to not seek punitive damages 
has no effect on the safety and soundness of a financial institution.
    Due in part to the extensive comments regarding client agreements 
not to seek punitive damages from their auditors, the Agencies have 
decided to take the issue under advisement. Accordingly, at this time, 
provisions that waive the right of financial institutions to seek 
punitive damages from their external auditor are not treated as unsafe 
and unsound under the Advisory. Nevertheless, the Agencies have 
concluded that agreements by financial institutions to indemnify their 
auditors for third party punitive damage awards are deemed unsafe and 
unsound.
    To enhance transparency and market discipline, public financial 
institutions that agree to waive claims for punitive damages against 
their external auditors may want to disclose annually the nature of 
these arrangements in their proxy statements or other public reports.
F. Alternative Dispute Resolution Agreements and Waiver of Jury Trials
    The Advisory encourages all financial institutions to review 
proposed Audit engagement letters presented by audit firms and 
understand any limitations imposed by mandatory pre-dispute alternative 
dispute resolution agreements (ADR) (including arbitration agreements) 
or jury trial waivers on the institution's ability to recover damages 
from an audit firm in any future litigation. The Advisory also directs 
financial institutions to review rules of procedure referenced in ADR 
agreements to ensure that the potential consequences of such procedures 
are acceptable to the institution and to recognize that ADR agreements 
may themselves incorporate limitation of liability provisions.
    A number of commenters stated that the Advisory addresses mandatory 
ADR mechanisms and the waiver of jury trials in a way that will 
discourage financial institutions from agreeing in advance with their 
auditors to use these widely accepted, efficient, and cost effective 
means of resolving disputes. A few commenters noted that ADR and waiver 
of jury trial provisions do not take away rights; they merely reflect 
the parties' choice of a method for resolving a dispute. Further, 
commenters stated that the Agencies have previously issued 
pronouncements that recognize and even encourage the use of ADR, for 
example, the FDIC's Statement of Policy on Use of Binding Arbitration 
(66 FR 18632 (April 10, 2001)). The Interagency Policy Statement on the 
Internal Audit Function and its Outsourcing (issued by the OTS, Board, 
FDIC, and OCC in March 2003) provides that all written contracts 
between vendors and financial institutions shall prescribe a process 
(arbitration, mediation, or other means) for resolving disputes and for 
determining who bears the costs of consequential damages arising from 
errors, omissions, and negligence. Commenters also stated that ADR is 
commercially reasonable because it creates certainty and reduces 
litigation-related costs and, therefore, should be encouraged.
    The Agencies observed that limitation of liability provisions 
frequently accompanied ADR or waiver of jury trial agreements contained 
in or referenced by Audit engagement letters. The Agencies do not 
oppose ADR or waiver of jury trial agreements. However, the Agencies do 
object to the practice of including unsafe and unsound limitation of 
liability provisions in these agreements.
    In response to the comments received, the Agencies clarified that 
ADR or waiver of jury trial provisions in Audit engagement letters do 
not present safety and soundness concerns, provided the agreements do 
not incorporate limitation of liability provisions. Institutions should 
carefully review ADR and jury trial provisions in engagement letters, 
as well as any agreements regarding rules of procedure. ADR agreements 
should not include any unsafe and unsound limitation of liability 
provisions. The Advisory does not change or affect previously issued 
policies referencing ADR and does not encourage or discourage the use 
of ADR in Audit engagement letters.
G. Legal Considerations
    Four commenters addressed legal aspects of the proposed Advisory. 
Two of the four commented that state and Federal laws explicitly permit 
limitation of liability or indemnification provisions. They indicated 
that these clauses are a common feature in many business and consumer 
contracts in wide use today. The Agencies note that Audits by their 
nature require a uniquely high level of objectivity and impartiality as 
compared to other types of business arrangements. Therefore, some 
commonly used limitation of liability provisions that may be acceptable 
for other business contracts are inappropriate for Audits of financial 
institutions.
    Another commenter stated that certain jurisdictions prohibit claims 
against auditors where management fraud is imputable to the client. The 
Advisory is not intended to override existing state or Federal laws 
that govern the types of damages that may be awarded by the courts. It 
advises financial institutions' boards of directors, audit committees, 
and management that they should not agree to any Audit engagement 
letters that may present safety and soundness concerns, including 
provisions that may violate the auditor independence standards of the 
SEC, PCAOB, or AICPA, as applicable.
    One commenter stated that the Agencies have not complied with the 
legal constraints on Federal agency rulemaking (e.g., the 
Administrative Procedures Act (APA) and Executive Order 12866) with the 
Advisory. The APA prohibits agency action that is, among other things, 
arbitrary and capricious. Executive Order 12866 provides that when a 
Federal agency engages in rulemaking, it must first determine whether a 
rule is necessary.
    The Agencies have authority to issue safety and soundness guidance 
without engaging in a formal rulemaking procedure. Under 12 U.S.C. 
1831p-1(d)(1), the Agencies issue standards for safety and soundness by 
regulation or by guideline. The Advisory is issued under that authority 
and the supervisory authority vested in each of the Agencies. The 
Agencies have determined that there is a significant need for guidance 
based on their review of actual auditor engagement letters, the 
comments from financial institutions that strongly expressed a need for 
guidance, and the likely benefits as compared to the possible costs.

[[Page 6851]]

H. Other Considerations
    Several commenters expressed concern that, since the Advisory does 
not apply to other industries, financial institutions will not have a 
level playing field with other audit clients when negotiating audit 
engagement terms. In the Agencies' judgment, any concerns about 
potential increased costs or restrictions on the ability of financial 
institutions, as compared to other audit clients, to negotiate Audit 
engagement terms do not outweigh the need to protect financial 
institutions from safety and soundness concerns posed by limitation of 
liability provisions.
    Other commenters stated that auditors should only be liable for 
audits they perform. The commenters believed that a financial 
institution's engagement letter covers only the period under audit and 
that auditors should not be held responsible for losses arising in 
subsequent periods in which the auditor was not engaged. Further, 
losses that arise in subsequent periods that may be related to matters 
that existed during periods previously audited by another audit firm 
should not result in a liability to the successor audit firm.
    The Agencies concur with the concept that auditors are not 
responsible for the work of others. The Agencies object to provisions 
that are worded in a way that may not only preclude collection of 
consequential damages for harm in later years, but that may also 
preclude any recovery at all. For example, the Agencies observed 
provisions where no claim of liability could be brought against an 
auditor until the audit report is actually delivered, and then these 
provisions limited any liability thereafter to claims raised during the 
period covered by the audit. In other words, the auditor's liability 
may be limited to claims raised during the period before there could be 
any liability. Read more broadly, the auditor would be liable for 
losses that arise in subsequent years only if the auditor continued to 
audit subsequent periods.
    Several commenters asked the Agencies to provide examples of losses 
sustained by financial institutions as a result of limitation of 
liability provisions discussed in the Advisory. The Agencies' charge is 
to identify and mitigate the risk of loss to financial institutions, 
not merely to react after losses occur. Therefore, the appropriate 
standard to be applied in the Advisory is the risk of loss created by 
limitation of liability provisions, and not losses sustained by reason 
of such provisions.
I. Questions, Comments, and Responses
    1. The Advisory, as written, indicates that limitation of liability 
provisions are inappropriate for all financial institution external 
audits.
    a. Is the scope appropriate? If not, to which financial 
institutions should the Advisory apply and why?
    b. Should the Advisory apply to financial institution audits that 
are not required by law, regulation, or order?
    Comments and Responses: The vast majority of commenters stated that 
the Advisory should apply uniformly to audits of financial statements 
for all financial institutions. A few commenters stated that voluntary 
audits should not be subject to the provisions in the Advisory. Several 
commenters stated that the Advisory should apply to audits of all 
entities, not just financial institutions.
    Since the Agencies are concerned with the safety and soundness of 
all financial institutions, the Advisory applies to all Audits of 
financial institutions including voluntary Audits. Regarding the 
comments relative to the broader application of the Advisory, the 
Agencies do not have the authority to apply the Advisory to entities 
other than financial institutions.
    2. What effects would the issuance of this Advisory have on 
financial institutions' ability to negotiate the terms of audit 
engagements?
    Comments and Responses: Several commenters stated that the Advisory 
will harm financial institutions' ability to negotiate the terms of 
audit engagements and therefore either result in higher audit costs or 
a lessened ability to negotiate on usual business terms. Other 
commenters stated that negotiations would be easier because auditors 
would not be able to force undesirable terms into engagement letters.
    The Agencies believe that the Advisory does not unduly affect the 
negotiating positions of the parties or pose undue burdens on auditors 
because these clauses did not exist in the majority of the engagement 
letters reviewed by the Agencies.
    3. Would the Advisory on limitation of liability provisions result 
in an increase in external audit fees?
    a. If yes, would the increase be significant?
    b. Would it discourage financial institutions that voluntarily 
obtain audits from continuing to be audited?
    c. Would it result in fewer audit firms being willing to provide 
external audit services to financial institutions?
    Comments and Responses: The majority of commenters stated that 
audit fees would increase; however, the range of increase was judged to 
be anywhere from ``insignificant'' to ``dramatic.'' A few commenters 
stated that fees would remain the same because many auditors have 
performed audits without limitation of liability provisions for a very 
long period of time. Most commenters stated that an increase in audit 
fees would not discourage financial institutions from engaging auditors 
because Audits represent best business practices and because the 
benefits of Audits would continue to outweigh the costs.
    A few commenters said that the increase in fees would reduce the 
number of financial institutions that voluntarily obtain audits. More 
than half of the commenters expressed concern about the number of 
auditors willing to perform audits of financial institutions because of 
the inability to include limitation of liability provisions in the 
engagement letters.
    Several commenters noted that the use of such clauses furthers the 
public interest in reducing dispute resolution costs and ensures the 
availability of reasonably affordable audit services and the equitable 
distribution of financial risk. Commenters also noted that audit fees 
are determined by a variety of factors and engagement risk is a 
significant component.
    In the Agencies' judgment, any concerns about potential increased 
costs or restrictions on the ability of the parties to an Audit 
engagement letter to allocate risk do not outweigh the need to protect 
financial institutions from safety and soundness concerns posed by 
limitation of liability provisions. Furthermore, any disincentive for 
financial institutions to obtain Audits when not required should be 
limited because Audits represent best practices and are strongly 
encouraged by the Agencies.
    The Agencies do not believe that the Advisory would significantly 
affect the number of audit firms willing to provide external Audit 
services to financial institutions because limitation of liability 
provisions were not present in the majority of the engagement letters 
reviewed by the Agencies.
    4. The Advisory describes three general categories of limitation of 
liability provisions.
    a. Is the description complete and accurate?
    b. Is there any aspect of the Advisory or terminology that needs 
clarification?
    Comments and Responses: The vast majority of commenters found the 
three general categories of limitation of liability provisions complete 
and accurate and did not express a need for

[[Page 6852]]

the Advisory or terminology to be clarified. It was apparent from the 
comments received that the discussion of ADR was unclear; the Agencies 
have clarified their position in the Advisory.
    5. Appendix A of the Advisory contains examples of limitation of 
liability provisions.
    a. Do the examples clearly and sufficiently illustrate the types of 
provisions that are inappropriate?
    b. Are there other inappropriate limitation of liability provisions 
that should be included in the Advisory? If so, please provide 
examples.
    Comments and Responses: The vast majority of commenters found the 
examples of limitation of liability provisions to clearly and 
sufficiently illustrate the types of provisions that are inappropriate. 
A number of commenters stated that permitting an auditor and a client 
to agree to a release from or indemnification for claims resulting from 
knowing misrepresentations by management is fundamentally fair to the 
client and is a significant deterrent to management fraud. As discussed 
in section C. Management's Knowing Misrepresentations, the Agencies are 
not persuaded by the commenters' arguments.
    6. Is there a valid business purpose for financial institutions to 
agree to any limitation of liability provision? If so, please describe 
the limitation of liability provision and its business purpose.
    Comments and Responses: Very few commenters directly responded to 
this question. Those commenters indicated there is not a valid business 
purpose for financial institutions to agree to any limitation of 
liability provision in audit engagements.
    7. The Advisory strongly recommends that financial institutions 
take appropriate action to nullify limitation of liability provisions 
in 2005 audit engagement letters that have already been accepted. Is 
this recommendation appropriate? If not, please explain your rationale 
(including burden and cost).
    Comments and Responses: The vast majority of commenters stated that 
accepted audit engagement letters containing limitation of liability 
provisions should not require nullification for a number of reasons, 
including the fact that a contract negotiated in good faith should not 
be subject to renegotiation.
    The Agencies agreed with these comments. The Advisory applies to 
Audit engagement letters executed on or after February 9, 2006. 
Financial institutions are not required to nullify Audit engagement 
letters executed prior to February 9, 2006. If a financial institution 
has executed a multi-year Audit engagement letter prior to February 9, 
2006 (e.g., covering years ending in 2007 or later), the Agencies 
encourage financial institutions to seek to amend the engagement letter 
to be consistent with the Advisory for any Audit periods ending in 2007 
or later.

IV. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
Chapter 35), the Agencies have reviewed the Advisory and determined 
that it does not contain a collection of information pursuant to the 
Act.

Text of Interagency Advisory

    The text of the Interagency Advisory on the Unsafe and Unsound Use 
of Limitation of Liability Provisions in External Audit Engagement 
Letters follows:

Interagency Advisory on the Unsafe and Unsound Use of Limitation of 
Liability Provisions in External Audit Engagement Letters

Purpose

    This Advisory, issued jointly by the Office of Thrift Supervision 
(OTS), the Board of Governors of the Federal Reserve System (Board), 
the Federal Deposit Insurance Corporation (FDIC), the National Credit 
Union Administration (NCUA), and the Office of the Comptroller of the 
Currency (OCC) (collectively, the ``Agencies''), alerts financial 
institutions' \1\ boards of directors, audit committees, management, 
and external auditors to the safety and soundness implications of 
provisions that limit external auditors' liability in audit 
engagements.
---------------------------------------------------------------------------

    \1\ As used in this document, the term financial institutions 
includes banks, bank holding companies, savings associations, 
savings and loan holding companies, and credit unions.
---------------------------------------------------------------------------

    Limits on external auditors' liability may weaken the external 
auditors' objectivity, impartiality, and performance and, thus, reduce 
the Agencies' ability to rely on Audits. Therefore, certain limitation 
of liability provisions (described in this Advisory and Appendix A) are 
unsafe and unsound. In addition, such provisions may not be consistent 
with the auditor independence standards of the U.S. Securities and 
Exchange Commission (SEC), the Public Company Accounting Oversight 
Board (PCAOB), and the American Institute of Certified Public 
Accountants (AICPA).

Scope

    This Advisory applies to engagement letters between financial 
institutions and external auditors with respect to financial statement 
audits, audits of internal control over financial reporting, and 
attestations on management's assessment of internal control over 
financial reporting (collectively, ``Audit'' or ``Audits'').
    This Advisory does not apply to:
     Non-Audit services that may be performed by financial 
institutions' external auditors;
     Audits of financial institutions' 401K plans, pension 
plans, and other similar audits;
     Services performed by accountants who are not engaged to 
perform financial institutions' Audits (e.g., outsourced internal 
audits, loan reviews); and
     Other service providers (e.g., software consultants, legal 
advisors).
    While the Agencies have observed several types of limitation of 
liability provisions in external Audit engagement letters, this 
Advisory applies to any agreement that a financial institution enters 
into with its external auditor that limits the external auditor's 
liability with respect to Audits in an unsafe and unsound manner.

Background

    A properly conducted audit provides an independent and objective 
view of the reliability of a financial institution's financial 
statements. The external auditor's objective in an audit is to form an 
opinion on the financial statements taken as a whole. When planning and 
performing the audit, the external auditor considers the financial 
institution's internal control over financial reporting. Generally, the 
external auditor communicates any identified deficiencies in internal 
control to management, which enables management to take appropriate 
corrective action. In addition, certain financial institutions are 
required to file audited financial statements and internal control 
audit/attestation reports with one or more of the Agencies. The 
Agencies encourage financial institutions not subject to mandatory 
audit requirements to voluntarily obtain audits of their financial 
statements. The Federal Financial Institutions Examination Council's 
(FFIEC) Interagency Policy Statement on External Auditing Programs of 
Banks and Savings Associations \2\ notes, ``[a]n institution's internal 
and external audit programs are critical to its safety and soundness.'' 
The Policy also states that an effective external auditing program 
``can improve the safety and soundness

[[Page 6853]]

of an institution substantially and lessen the risk the institution 
poses to the insurance funds administered by the Federal Deposit 
Insurance Corporation (FDIC).''
---------------------------------------------------------------------------

    \2\ Published in the Federal Register on September 28, 1999 (64 
FR 52319). The NCUA, a member of the FFIEC, has not adopted the 
policy statement.
---------------------------------------------------------------------------

    Typically, a written engagement letter is used to establish an 
understanding between the external auditor and the financial 
institution regarding the services to be performed in connection with 
the financial institution's audit. The engagement letter commonly 
describes the objective of the audit, the reports to be prepared, the 
responsibilities of management and the external auditor, and other 
significant arrangements (e.g., fees and billing). The Agencies 
encourage boards of directors, audit committees, and management to 
closely review all of the provisions in the audit engagement letter 
before agreeing to sign. As with all agreements that affect a financial 
institution's legal rights, legal counsel should carefully review audit 
engagement letters to help ensure that those charged with engaging the 
external auditor make a fully informed decision.
    While the Agencies have not observed provisions that limit an 
external auditor's liability in the majority of external audit 
engagement letters reviewed, they have observed a significant increase 
in the types and frequency of these provisions. These provisions take 
many forms, making it impractical to provide an all-inclusive list. 
This Advisory describes the types of objectionable limitation of 
liability provisions and provides examples.\3\
---------------------------------------------------------------------------

    \3\ Examples of auditor limitation of liability provisions are 
illustrated in Appendix A.
---------------------------------------------------------------------------

    Financial institutions' boards of directors, audit committees, and 
management should also be aware that certain insurance policies (such 
as error and omission policies and director and officer liability 
policies) might not cover losses arising from claims that are precluded 
by limitation of liability provisions.

Limitation of Liability Provisions

    The provisions the Agencies deem unsafe and unsound can be 
generally categorized as an agreement by a financial institution that 
is a client of an external auditor to:
     Indemnify the external auditor against claims made by 
third parties;
     Hold harmless or release the external auditor from 
liability for claims or potential claims that might be asserted by the 
client financial institution, other than claims for punitive damages; 
or
     Limit the remedies available to the client financial 
institution, other than punitive damages.
    Collectively, these categories of provisions are referred to in 
this Advisory as ``limitation of liability provisions.''
    Provisions that waive the right of financial institutions to seek 
punitive damages from their external auditor are not treated as unsafe 
and unsound under this Advisory. Nevertheless, agreements by clients to 
indemnify their auditors against any third party damage awards, 
including punitive damages, are deemed unsafe and unsound under this 
Advisory. To enhance transparency and market discipline, public 
financial institutions that agree to waive claims for punitive damages 
against their external auditors may want to disclose annually the 
nature of these arrangements in their proxy statements or other public 
reports.
    Many financial institutions are required to have their financial 
statements audited while others voluntarily choose to undergo such 
audits. For example, banks, savings associations, and credit unions 
with $500 million or more in total assets are required to have annual 
independent audits.\4\ Certain savings associations (for example, those 
with a CAMELS rating of 3, 4, or 5) and savings and loan holding 
companies are also required by OTS regulations to have annual 
independent audits.\5\ Furthermore, financial institutions that are 
public companies \6\ must have annual independent audits. The Agencies 
rely on the results of Audits as part of their assessment of the safety 
and soundness of a financial institution.
---------------------------------------------------------------------------

    \4\ For banks and savings associations, see Section 36 of the 
Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and Part 
363 of the FDIC's regulations (12 CFR Part 363). For credit unions, 
see Section 202(a)(6) of the Federal Credit Union Act (12 U.S.C. 
1782(a)(6)) and Part 715 of the NCUA's regulations (12 CFR Part 
715).
    \5\ See OTS regulation at 12 CFR 562.4.
    \6\ Public companies are companies subject to the reporting 
requirements of the Securities Exchange Act of 1934.
---------------------------------------------------------------------------

    In order for Audits to be effective, the external auditors must be 
independent in both fact and appearance, and must perform all necessary 
procedures to comply with auditing and attestation standards 
established by either the AICPA or, if applicable, the PCAOB. When 
financial institutions execute agreements that limit the external 
auditors' liability, the external auditors' objectivity, impartiality, 
and performance may be weakened or compromised, and the usefulness of 
the Audits for safety and soundness purposes may be diminished.
    By their very nature, limitation of liability provisions can remove 
or greatly weaken external auditors' objective and unbiased 
consideration of problems encountered in audit engagements and may 
diminish auditors' adherence to the standards of objectivity and 
impartiality required in the performance of Audits. The existence of 
such provisions in external audit engagement letters may lead to the 
use of less extensive or less thorough procedures than would otherwise 
be followed, thereby reducing the reliability of Audits. Accordingly, 
financial institutions should not enter into external audit 
arrangements that include unsafe and unsound limitation of liability 
provisions identified in this Advisory, regardless of (1) The size of 
the financial institution, (2) whether the financial institution is 
public or not, or (3) whether the external audit is required or 
voluntary.

Auditor Independence

    Currently, auditor independence standard-setters include the SEC, 
PCAOB, and AICPA. Depending upon the audit client, an external auditor 
is subject to the independence standards issued by one or more of these 
standard-setters. For all credit unions under the NCUA's regulations, 
and for other non-public financial institutions that are not required 
to have annual independent audits pursuant to either Part 363 of the 
FDIC's regulations or Sec.  562.4 of the OTS's regulations, the 
Agencies' rules require only that an external auditor meet the AICPA 
independence standards; they do not require the financial institution's 
external auditor to comply with the independence standards of the SEC 
and the PCAOB.
    In contrast, for financial institutions subject to the audit 
requirements either in Part 363 of the FDIC's regulations or in Sec.  
562.4 of the OTS's regulations, the external auditor should be in 
compliance with the AICPA's Code of Professional Conduct and meet the 
independence requirements and interpretations of the SEC and its 
staff.\7\ In this regard, in a December 13, 2004, Frequently Asked 
Question (FAQ) on the application of the SEC's auditor independence 
rules, the SEC staff reiterated its long-standing position that when an 
accountant and his or her client enter into an agreement which seeks to 
provide the accountant immunity from liability for his or her

[[Page 6854]]

own negligent acts, the accountant is not independent. The FAQ also 
states that including in engagement letters a clause that would 
release, indemnify, or hold the auditor harmless from any liability and 
costs resulting from knowing misrepresentations by management would 
impair the auditor's independence.\8\ The SEC's FAQ is consistent with 
Section 602.02.f.i. (Indemnification by Client) of the SEC's 
Codification of Financial Reporting Policies. (Section 602.02.f.i. and 
the FAQ are included in Appendix B.)
---------------------------------------------------------------------------

    \7\ See FDIC Regulation 12 CFR Part 363, Appendix A--Guidelines 
and Interpretations; Guideline 14, Role of the Independent Public 
Accountant--Independence; and OTS Regulation 12 CFR 562.4(d)(3)(i), 
Qualifications for independent public accountants.
    \8\ In contrast to the SEC's position, AICPA Ethics Ruling 94 
(ET Sec.  191.188-189) currently concludes that indemnification for 
``knowing misrepresentations by management'' does not impair 
independence. On September 15, 2005, the AICPA published for comment 
its proposed interpretation of its auditor independence standards. 
In that proposal the AICPA specifically identified limitation of 
liability provisions that impair auditor independence under the 
AICPA's standards. Most of the provisions cited in this Advisory 
were deemed to impair independence in the AICPA's proposed 
interpretation. At this writing, the AICPA has not issued a final 
interpretation.
---------------------------------------------------------------------------

    Based on this SEC guidance and the Agencies' existing regulations, 
certain limits on auditors' liability are already inappropriate in 
audit engagement letters entered into by:
     Public financial institutions that file reports with the 
SEC or with the Agencies;
     Financial institutions subject to Part 363; and
     Certain other financial institutions that OTS regulations 
(12 CFR 562.4) require to have annual independent audits.
    In addition, certain of these limits on auditors' liability may 
violate the AICPA independence standards. Notwithstanding the potential 
applicability of auditor independence standards, the limitation of 
liability provisions discussed in this Advisory present safety and 
soundness concerns for all financial institution Audits.

Alternative Dispute Resolution Agreements and Jury Trial Waivers

    The Agencies have observed that some financial institutions have 
agreed in engagement letters to submit disputes over external audit 
services to mandatory and binding alternative dispute resolution, 
binding arbitration, other binding non-judicial dispute resolution 
processes (collectively, ``mandatory ADR'') or to waive the right to a 
jury trial. By agreeing in advance to submit disputes to mandatory ADR, 
financial institutions may waive the right to full discovery, limit 
appellate review, or limit or waive other rights and protections 
available in ordinary litigation proceedings.
    The Agencies recognize that mandatory ADR procedures and jury trial 
waivers may be efficient and cost-effective tools for resolving 
disputes in some cases. Accordingly, the Agencies believe that 
mandatory ADR or waiver of jury trial provisions in external Audit 
engagement letters do not present safety and soundness concerns, 
provided that the engagement letters do not also incorporate limitation 
of liability provisions. The Agencies encourage institutions to 
carefully review mandatory ADR and jury trial provisions in engagement 
letters, as well as any agreements regarding rules of procedure, and to 
fully comprehend the ramifications of any agreement to waive any 
available remedies. Financial institutions should ensure that any 
mandatory ADR provisions in Audit engagement letters are commercially 
reasonable and:
     Apply equally to all parties;
     Provide a fair process (e.g., neutral decision-makers and 
appropriate hearing procedures); and
     Are not imposed in a coercive manner.

Conclusion

    Financial institutions' boards of directors, audit committees, and 
management should not enter into any agreement that incorporates 
limitation of liability provisions with respect to Audits. In addition, 
financial institutions should document their business rationale for 
agreeing to any other provisions that limit their legal rights.
    This Advisory applies to engagement letters executed on or after 
February 9, 2006. The inclusion of limitation of liability provisions 
in external Audit engagement letters and other agreements that are 
inconsistent with this Advisory will generally be considered an unsafe 
and unsound practice. The Agencies' examiners will consider the 
policies, processes, and personnel surrounding a financial 
institution's external auditing program in determining whether (1) the 
engagement letter covering external auditing activities raises any 
safety and soundness concerns, and (2) the external auditor maintains 
appropriate independence regarding relationships with the financial 
institution under relevant professional standards. The Agencies may 
take appropriate supervisory action if unsafe and unsound limitation of 
liability provisions are included in external Audit engagement letters 
or other agreements related to Audits that are executed (accepted or 
agreed to by the financial institution) on or after February 9, 2006.

Appendix A

Examples of Unsafe and Unsound Limitation of Liability Provisions

    Presented below are some of the types of limitation of liability 
provisions (with an illustrative example of each type) that the 
Agencies observed in financial institutions' external audit 
engagement letters. The inclusion in external Audit engagement 
letters or agreements related to Audits of any of the illustrative 
provisions (which do not represent an all-inclusive list) or any 
other language that would produce similar effects is considered an 
unsafe and unsound practice.

1. ``Release From Liability for Auditor Negligence'' Provision

    In this type of provision, the financial institution agrees not 
to hold the audit firm liable for any damages, except to the extent 
determined to have resulted from willful misconduct or fraudulent 
behavior by the audit firm.
    Example: In no event shall [the audit firm] be liable to the 
Financial Institution, whether a claim be in tort, contract or 
otherwise, for any consequential, indirect, lost profit, or similar 
damages relating to [the audit firm's] services provided under this 
engagement letter, except to the extent finally determined to have 
resulted from the willful misconduct or fraudulent behavior of [the 
audit firm] relating to such services.

2. ``No Damages'' Provision

    In this type of provision, the financial institution agrees that 
in no event will the external audit firm's liability include 
responsibility for any compensatory (incidental or consequential) 
damages claimed by the financial institution.
    Example: In no event will [the audit firm's] liability under the 
terms of this Agreement include responsibility for any claimed 
incidental or consequential damages.

3. ``Limitation of Period To File Claim'' Provision

    In this type of provision, the financial institution agrees that 
no claim will be asserted after a fixed period of time that is 
shorter than the applicable statute of limitations, effectively 
agreeing to limit the financial institution's rights in filing a 
claim.
    Example: It is agreed by the Financial Institution and [the 
audit firm] or any successors in interest that no claim arising out 
of services rendered pursuant to this agreement by, or on behalf of, 
the Financial Institution shall be asserted more than two years 
after the date of the last audit report issued by [the audit firm].

4. ``Losses Occurring During Periods Audited'' Provision

    In this type of provision, the financial institution agrees that 
the external audit firm's liability will be limited to any losses 
occurring during periods covered by the external audit, and will not 
include any losses occurring in later periods for which the external 
audit firm is not engaged. This provision may not only preclude the 
collection of consequential damages for harm in later years, but 
could preclude any recovery at all. It appears that no claim of

[[Page 6855]]

liability could be brought against the external audit firm until the 
external audit report is actually delivered. Under such a clause, 
any claim for liability thereafter might be precluded because the 
losses did not occur during the period covered by the external 
audit. In other words, it might limit the external audit firm's 
liability to a period before there could be any liability. Read more 
broadly, the external audit firm might be liable for losses that 
arise in subsequent years only if the firm continues to be engaged 
to audit the client's financial statements in those years.
    Example: In the event the Financial Institution is dissatisfied 
with [the audit firm's] services, it is understood that [the audit 
firm's] liability, if any, arising from this engagement will be 
limited to any losses occurring during the periods covered by [the 
audit firm's] audit, and shall not include any losses occurring in 
later periods for which [the audit firm] is not engaged as auditors.

5. ``No Assignment or Transfer'' Provision

    In this type of provision, the financial institution agrees that 
it will not assign or transfer any claim against the external audit 
firm to another party. This provision could limit the ability of 
another party to pursue a claim against the external auditor in a 
sale or merger of the financial institution, in a sale of certain 
assets or a line of business of the financial institution, or in a 
supervisory merger or receivership of the financial institution. 
This provision may also prevent the financial institution from 
subrogating a claim against its external auditor to the financial 
institution's insurer under its directors' and officers' liability 
or other insurance coverage.
    Example: The Financial Institution agrees that it will not, 
directly or indirectly, agree to assign or transfer any claim 
against [the audit firm] arising out of this engagement to anyone.

6. ``Knowing Misrepresentations by Management'' Provision

    In this type of provision, the financial institution releases 
and indemnifies the external audit firm from any claims, 
liabilities, and costs attributable to any knowing misrepresentation 
by management.
    Example: Because of the importance of oral and written 
management representations to an effective audit, the Financial 
Institution releases and indemnifies [the audit firm] and its 
personnel from any and all claims, liabilities, costs, and expenses 
attributable to any knowing misrepresentation by management.

7. ``Indemnification for Management Negligence'' Provision

    In this type of provision, the financial institution agrees to 
protect the external auditor from third party claims arising from 
the external audit firm's failure to discover negligent conduct by 
management. It would also reinforce the defense of contributory 
negligence in cases in which the financial institution brings an 
action against its external auditor. In either case, the contractual 
defense would insulate the external audit firm from claims for 
damages even if the reason the external auditor failed to discover 
the negligent conduct was a failure to conduct the external audit in 
accordance with generally accepted auditing standards or other 
applicable professional standards.
    Example: The Financial Institution shall indemnify, hold 
harmless and defend [the audit firm] and its authorized agents, 
partners and employees from and against any and all claims, damages, 
demands, actions, costs and charges arising out of, or by reason of, 
the Financial Institution's negligent acts or failure to act 
hereunder.

8. ``Damages Not to Exceed Fees Paid'' Provision

    In this type of provision, the financial institution agrees to 
limit the external auditor's liability to the amount of audit fees 
the financial institution paid the external auditor, regardless of 
the extent of damages. This may result in a substantial 
unrecoverable loss or cost to the financial institution.
    Example: [The audit firm] shall not be liable for any claim for 
damages arising out of or in connection with any services provided 
herein to the Financial Institution in an amount greater than the 
amount of fees actually paid to [the audit firm] with respect to the 
services directly relating to and forming the basis of such claim.

    Note: The Agencies also observed a similar provision that 
limited damages to a predetermined amount not related to fees paid.

Appendix B

SEC's Codification of Financial Reporting Policies, Section 
602.02.f.i and the SEC's December 13, 2004, FAQ on Auditor 
Independence

Section 602.02.f.i--Indemnification by Client, 3 Fed. Sec. L. (CCH) ] 
38,335, at 38,603-17 (2003)

    Inquiry was made as to whether an accountant who certifies 
financial statements included in a registration statement or annual 
report filed with the Commission under the Securities Act or the 
Exchange Act would be considered independent if he had entered into 
an indemnity agreement with the registrant. In the particular 
illustration cited, the board of directors of the registrant 
formally approved the filing of a registration statement with the 
Commission and agreed to indemnify and save harmless each and every 
accountant who certified any part of such statement, ``from any and 
all losses, claims, damages or liabilities arising out of such act 
or acts to w