CUNA Regulatory Comment Call

May 27, 2005

FFIEC Advisory on the Limitation of Liability Provisions in Audit Engagement Letters


  • The Federal Financial Institutions Examination Council (FFIEC), which is composed of NCUA and the other 4 financial institution regulators, has released a proposal that advises financial institutions’ boards of directors, audit committees, and management to ensure the institution does not enter into any agreement that limits the liability of external auditors in preparation of financial statement audits. In addition, financial institutions should document their business rationale for agreeing to any other provisions that alter their legal rights.

  • Typically, the financial institution will sign a written engagement letter with the CPA firm regarding the services to be performed in connection with the external audit of the institution. The engagement letter normally covers: the objective of the external audit; the reports to be prepared; the responsibilities of management and the external auditor; and fees/billing.

  • The language in external audit agreements seeking to exempt accountants from liability with their work on financial statement audits for their client financial institutions may take a number of forms. However, limited liability provisions can be categorized into the following 3 general categories: (1) statements that would indemnify the external auditor against claims made by third parties; (2) agreements to hold harmless or release the external auditor from liability for claims by the client financial institution; and (3) limitations on remedies sought by the client financial institution. In Appendix A, the Advisory highlights the following types of provisions as being problematic in engagement letters:

    • Agreement by the institution not to hold the CPA firm liable for any damages due to negligence, only for damages resulting from willful misconduct or fraudulent behavior.
    • Exclusion of liability on the part of the audit firm for any claimed, incidental, consequential, punitive or exemplary damages.
    • Limitation on length of time the financial institution has to file a claim, shorter than the statute of limitations.
    • Restriction on CPA firm’s liability to any losses occurring during periods covered by the external audit.
    • Agreement by the institution not to assign or transfer its claim to any other party.
    • Release of the audit firm from claims, liabilities and costs regulating from any knowing misrepresentations by the firm’s management.
    • Agreement to protect the audit firm from any third party claims arising from the audit firm’s failure to discover negligent conduct by management.
    • Limitation on damages to the amount of fees paid to the audit firm.
  • The FFIEC agencies consulted with the American Institute of Certified Public Accountants (AICPA) and the Public Company Accounting Oversight Board (the PCAOB is charged with implementing the corporate governance and accounting reform requirements called for in the Sarbanes-Oxley Act) on the prevalence of the liability limitation provisions in such external audit engagement letters. The Advisory notes, "While these provisions do not appear in a majority of financial institution engagement letters, the provisions are becoming more prevalent. The Agencies believe such provisions may weaken an external auditor’s objectivity, impartiality, and performance; therefore, inclusion of these provisions in financial institution engagement letters raises safety and soundness concerns." The external agencies are concerned that such provisions reduce their ability to rely on the audit.

  • The Advisory also includes certain alterative dispute resolution (ADR) provisions in engagement letters as presenting safety and soundness concerns. The FFIEC agencies are concerned that provisions requiring the client financial institution to submit disputes over auditor services to binding arbitration or some other binding non-judicial dispute resolution process (mandatory ADR) could compromise the institution’s ability to challenge problem audits. "By agreeing in advance to submit disputes to mandatory ADR, the financial institution is effectively agreeing to waive the right to full discovery, limit appellate review, and limit or waive other rights and protections available in ordinary litigation proceedings." Similarly, by waiving its right to a jury trial, the institution may reduce the amount it could receive in a settlement. Therefore, financial institutions should not enter into pre-dispute mandatory ADR arrangements that include limitation of liability provisions, whether the limitations on liability form part of an audit engagement letter or are set out separately. Further, institutions should review the rules of procedure referenced in the ADR agreement to ensure that the potential consequences of such procedures are acceptable to the institution.

  • According to the advisory, NCUA may take appropriate supervisory action if limitation of liability provisions are included in external audit engagement letters or related agreement that are executed (accepted or agreed to by the financial institution) after the date of the Advisory (May 10, 2005). For any such letter or related agreement already accepted for a fiscal 2005 or subsequent financial statement audit (that is, fiscal years ending on or after January 1, 2005), it is strongly recommended that that boards of directors, audit committees, and management consult with legal counsel and the external auditor and take appropriate action to have any limitation of liability provision nullified.

  • Financial institutions’ boards of directors, audit committees, and management should also check with their insurers to determine whether the institution had losses due to actions on the part of their external auditors for which they did not did not recover or for which they were capped because of the limitation of liability provisions.

  • Comments are due to the FFIEC by June 9, 2005. Please send your comments to CUNA by June 6, 2005. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at or to Senior Regulatory Counsel Catherine Orr at; or mail them to Mary or Catherine in c/o CUNA's Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, 6th Floor - South Building, Washington, DC 20004. You may also contact us at 800-356-9655, ext. 6743, if you would like a copy of the proposed Advisory, or you may access it on the Internet at:

    1. The Advisory, as written, indicates the limitation of liability provisions are inappropriate for all financial institution external audits. Is the scope of the Advisory appropriate?

      Yes ______ No ______

      If not, to which financial institutions should the Advisory apply and why?

      Should the Advisory apply to financial institution audits that are not required by law, regulation, or order?

      Yes ______ No ______

      Please explain.

    2. What effects would the issuance of this Advisory have on financial institutions’ ability to negotiate the terms of audit engagements?

    3. Would the advisory on limitation of liability provisions result in an increase in external audit fees?

      Yes ______ No ______

      If yes, would the increase be significant?

      Would it discourage financial institutions that voluntarily obtain audits from continuing to be audited?

      Yes ______ No ______

      Please explain.

      Would it result in fewer audit firms being willing to provide external audit services to financial institutions?

      Yes ______ No ______

      Please explain.

    4. The Advisory describes three general categories of limitation of liability provisions. Is the description complete and accurate?

      Yes ______ No ______

      If not, is what aspect(s) of the Advisory or terminology need(s) clarification?

    5. Appendix A of the Advisory contains examples of limitation of liability provisions. Do the examples clearly and sufficiently illustrate the types of provisions that are inappropriate?

      Yes ______ No ______

      If not, what other inappropriate limitation of liability provisions should be included in the Advisory? Please provide examples.

    6. Is there a valid business purpose for financial institutions to agree to any limitation of liability provision?

      Yes ______ No ______

      If yes, please describe the limitation of liability provision and its business purpose.

    7. The Advisory strongly recommends that financial institutions take appropriate action to nullify limitation of liability provisions in 2005 audit engagement letters that have already been accepted. Is this recommendation appropriate?

      Yes ______ No ______

      If not, please explain your rationale (including burden and cost).

    8. Other comments?

    Eric Richard • General Counsel • (202) 508-6742 •
    Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 •
    Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 •
    Lilly Thomas • Assistant General Counsel • (202) 508-6733 •
    Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 •