On Friday, September 29, 2023, the Securities and Exchange Commission’s Division of Enforcement (“SEC”) filed a civil complaint in U.S. district court (S.D. Fla., Case No. 1:23-cv-23723) against two audit firms, Prager Metis CPAs, LLC, and Prager Metis CPAs LLP (“Audit Firms”). It alleges that they were not independent while conducting 62 audits, 11 examinations, and 144 reviews because the Audit Firms’ 87 engagement letters contained an indemnification provision that violated the auditor independence requirements of Rule 2-01(b) of the SEC’s Regulation S-X.[1] The SEC seeks a permanent injunction, disgorgement of “ill-gotten gains” and proceeds from the Audit Firms’ audit work for their clients, and civil monetary penalties.
This complaint relies on a Commission-published staff interpretation of the general provision of Rule 2-01(b), which simply requires an accountant to be independent while auditing a client, but it is legally problematic for several reasons. First, the staff’s purported interpretation of 2-01(b) is not an interpretation, but a blanket rule that prohibits all indemnification provisions in engagement letters. Second, if the Commission had properly approved and adopted this prohibitory rule under the Administrative Procedures Act, as required, the blanket prohibition would, as it should, be among the litany of explicit prohibitory and mandatory rules found in Rule 2-01(c), and not, as it is, in a staff interpretation that is not part of the rule. Third, the purported logic underlying the prohibition of indemnification provisions is not relevant to the specific indemnification provision the Audit Firms used in the engagement letters at issue in this case. That provision required an audit client to reimburse the Audit Firms if—and only if—the client provided materially false information to the Audit Firms in the course of an audit and—most importantly—the Audit Firms fully satisfied their professional obligations as auditors. In other words, only if the third-party failed to provide accurate information and the auditor could not have discovered this while conducting an audit fully consistent with generally accepted auditing standards, then the auditor could seek legal redress to recover expenses. Fourth and last, the Audit Firms’ indemnification provision does not and could not “immunize” them from any investigation or legal action of third parties, including the SEC, which appears to be the accounting staff’s foundational logic of its blanket prohibition.
This civil enforcement action, predicated solely on the staff’s blanket prohibitory rule, offers troubling insight into how a federal agency can legislate a new rule without public comment or input and enforce an extra-legal rule simply through the sign-off, in an enforcement action, of a Commission that has never even considered, let alone adopted, that rule.
1. Rule 2-01’s Subsections (b) and (c)
The Commission promulgated Rule 2-01 over fifty years ago and has
amended it seven times since its appearance in 1972.[2] The entire Rule, except subsection (a), commits over 7,600 words to the topic of auditor independence.
The general provision of Rule 2-01(b) defines “auditor independence” as requiring both actual independence and apparent independence, with the test for apparent independence being whether “a reasonable investor with knowledge of all relevant facts and circumstances would conclude that the accountant is not[] capable of exercising objective and impartial judgment on all issues encompassed within the accountant’s engagement.”[3]
Rule 2-01(c) includes a long, “non-exclusive specification of circumstances”— in fact specific rules — under and by which the Commission deems an accountant not to be independent.[4] These rules are contained within eight separate categories, the first five of which set out prohibitive (don’t-do) rules and the last three of which state mandatory (must-do) rules.[5] Most of these categories contain subcategories that, in turn, contain their own scenarios and rules. For instance, “financial relationships” includes sub-categories entitled “investments in audit clients,” “other financial interests in audit clients,” “exceptions,” and “audit clients’ financial relationships.” In short, Rule 2-01(b) is the general rule, while the remainder of Rule 2-01 contains numerous, specific rules for a variety of situations and scenarios.
2. Evolution of the Staff’s Blanket Prohibition on Indemnification Provisions
A fair question, in light of the recently filed lawsuit against the two Audit Firms, would be: “Does Rule 2-01(c) include any scenario that prohibits “indemnification” or “indemnification” provisions?” The answer is straightforward: “No.” In fact, the word “indemnification” appears nowhere in Rule 2-01, either in the general rule of 2-01(b) or in the specific rules of 2-01(c), where one would expect to find it. Given this fact, what is the basis for the SEC’s claim that the Audit Firms were “not independent” simply because they had engagement letters containing indemnification provisions?
The answer appears some twelve pages into the complaint, when the SEC asserts that the Audit Firms “violated” the staff’s “interpretation” of the general provision of Rule 2-01(b). According to the complaint, in 1982, the Commission published a codification of certain Accounting Series Releases (ASRs), entitled Codification of Financial Reporting Policies (“Codification”), for the purpose of giving “meaningful guidance” to accountants and assist them “in complying with the Commission’s requirements.”[6] The Codification, identified as an SEC publication not to be published in the Federal Register / Code of Federal Regulations system, states that it “supplements” the “rules set forth in Regulations S-X [17 CFR Part 210] … by providing background and rationale for certain of the rules therein.”[7] The complaint states that the Codification had observed that “[w]hen an accountant and his client, directly or through an affiliate, have entered into an agreement of indemnity” and that agreement “seeks to assure to the accountant immunity from liability for his own negligent acts, whether of omission or commission,” then “one of the major stimuli to objective and unbiased consideration of the problems encountered in a particular engagement is removed or greatly weakened.[8]
The complaint informs us that on December 13, 2004, the SEC staff in the agency’s Office of the Chief Accountant (“OCA”) issued an interpretation “reiterating and confirming the Commission’s long standing view” that “[w]hen an accountant and the audit client …enter into an agreement of indemnity which seeks to provide the accountant immunity from liability for their own negligent acts … the accountant is not independent.”[9] This “view” or interpretation is then applied to engagement letters, stating that an engagement letter that contains “a clause that an issuer would release, indemnify or hold harmless from any liability and costs resulting from knowing misrepresentations by management” impairs an auditor’s independence.[10] The OCA’s statement in 2004 radically expanded the earlier Commission-published rule in the Codification by making it apply to all indemnification provisions, even if they not allow the auditor to seek indemnification from the client for the auditor’s negligent acts. In other words, the SEC staff (the OCA) made a new rule that claims a blanket prohibition against all types of indemnification provisions, even those conditioned on no auditor malpractice. The Commission never even published, let alone adopted, the OCA’s new rule. If it truly reflected, as claimed, the “Commission’s view,” then why did the Commission not inserted this blanket prohibition into Rule 2-01(c) in any of its four amendments since 2004?
If this is not strange enough, the OCA’s “guidance” also contains the following express disclaimer:
The answers to these frequently asked questions represent the views of the staff in the Office of the Chief Accountant. They are not rules, regulations or statements of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved them.[11]
Accordingly, the OCA FAQs, including its rule expressly prohibiting all indemnification provisions in engagement letters regardless of scope and conditions, are not SEC rules that accountants, auditors, or anyone else can “violate.” They represent views of certain members of the SEC staff, which a district court need not afford any deference: they are not equivalent to the Commission meeting in a rulemaking session and issuing regulations pursuant to Congressionally delegated authority and in accordance with the Administrative Procedures Act (“APA”).
4. The Staff-Made Rule as an “Interpretation”
The complaint claims that the (staff’s) blanket prohibitory rule is an interpretation. What is it interpreting? If it is interpreting the meaning of actual independence under Rule 2-01(b), the complaint should allege, as an issue of fact to be proven, that: (1) the Audit Firms failed to meet generally accepted auditing standards in each of the listed engagements; and (2) the existence and terms of the indemnification provision caused a failure for each subject audit, amounting to auditor malpractice. Such allegations would impose an enormous evidentiary burden on the SEC, as plaintiff, and, given the complaint’s other allegations, would be factually baseless.
If the staff’s blanket prohibition against indemnification provisions constitutes an interpretation of the meaning of apparent independence, the complaint should allege that a “reasonable investor would conclude that the accountant is not[] capable of exercising objective and impartial judgment on all issues encompassed within the accountant’s engagement.” We do not see that alleged either.
Instead, the SEC’s complaint takes the simplest route: State the staff’s rule prohibiting all indemnification provisions, and then allege that the 87 Engagement letters contained indemnification provisions. Given the desire to assert more rather than fewer claims, the complaint throws in “aiding and abetting violations by the various issuers (because, under the statute, it is actually the issuer’s obligation to obtain an audit by an independent auditor).
5. The Audit Firms’ Indemnification Provision
An indemnification provision is a contract that binds only the two parties to the contract. The Audit Firms’ indemnification provision, found in each of its 87 engagement letters,[12] allows them to recover expenses and costs arising from the audit client’s failure to provide materially accurate and complete information to the Audit Firms, thereby causing the Audit Firms to incur obligations to defend or pay third parties. The obligation to defend or pay must be “a direct or indirect result of any inaccurate or incomplete information” that the audit client “provided” to the Audit Firms “during the course of [the] engagement and not a direct or indirect result of any failure on [the Audit Firms’] part to comply with professional standards.”[13]
This is hardly a provision that, as the SEC staff put it in the Codification, “seeks to assure to the accountant immunity from liability for his own negligent acts, whether of omission or commission.”[14] First, “immunity” is a legal defense and total protection from one or more third parties. Indemnification agreements, like that in this action, enable the auditor to bring legal action and obtain reimbursement (a large expense in itself) against the audit client and cannot immunize the auditor from governmental, quasi-governmental, or private civil legal actions for auditing malpractice. Moreover, and more importantly, the “indemnification provision” makes the Audit Firms’ non-negligence an explicit condition of reimbursement. If the Audit Firms commit malpractice in addressing the audit client’s materially false statements and omissions, they are not only subject to actions from the government and others, but they also cannot recover against the client. In short, this indemnification provision does not lessen the Audit Firms’ incentive to conduct audits in accordance with the requisite audit standards, but gives the audit client an incentive to provide quality material information. The SEC staff apparently believes that audit firms, including defendants in this action, must always bear all of the costs of defending their audit reports, even if the audits were conducted properly.
6. Conclusion
This case is a troubling example of how the staff of the SEC, or any federal agency, can become, in effect, enforcers of their own self-made rules. A guiding principle of our system of justice is that the government can only enforce validly enacted laws and regulations against private individuals. The APA requires, among other things, that for a new regulation to become an enforceable law of whatever dignity, it must be shown to the public for comment. In our opinion, the SEC’s complaint against the Audit Firms should be dismissed.
ENDNOTES
[1]. The Rule is entitled “Qualification of accountants” and codified at 17 C.F.R. § 210.2-01(b) (C.F.R. is the abbreviation for Code of Federal Regulations).
[2]. 37 FR 14594 (Jul. 21, 1972), as amended at: 48 FR 9521 (Mar. 7, 1983); 65 FR 70862 (Dec. 5, 2000); 68 FR 6044 (Feb. 5, 2003); 70 FR 1593 (Jan. 7, 2005); 83 FR 50198 (Oct. 4, 2018); 84 FR 32060 (Jul. 5, 2019); 86 FR 80541 (Dec. 11, 2020).
[3]. Id. (emphasis added).
[4]. Id. (emphasis added). The language of 2-01(b) and the opening of 2-01(c) are not models of clarity. The first states that the “Commission will not recognize an accountant as independent, with respect to an audit client” if the accountant is not independent, while 2-01(c) states that it “sets forth a non-exclusive specification of circumstances inconsistent with paragraph (b) of this section.”
[5]. The eight categories are: (1) financial relationships; (2) employment relationships; (3) business relationships; (4) non-audit services; (5) contingent fees; (6) partner rotation; (7) audit committee administration of the engagement; and (8) compensation.
[7]. 47 Fed. Reg. 95 at 21029 (May 17, 1982).
[8]. Complaint, ¶ 28 (emphasis added). The codification opens by noting that “[t]he Commission announces the publication of a topical index to its Accounting Series Releases that have announced enforcement actions involving accountants. The topical index is intended to facilitate reference to the Commission’s views on particular accounting and auditing matters that have given rise to Commission enforcement actions.”
[12]. Complaint, ¶ 34:
In the event that we become obligated to pay any judgment, fine, penalty, or similar award or sanction; agree to pay any amount in settlement; and/or incur any costs including legal fees, as a result of a claim, investigation, or other proceeding instituted by any third party, including any governmental or quasi-governmental body, and if such obligation is a direct or indirect result of any inaccurate or incomplete information that you provide to us during the course of this engagement, and not any failure on our part to comply with professional standards, you agree to indemnify us, and hold us harmless as against such obligations, agreement and/or costs.
[13]. Some attorneys and even accountants believe that “failed audit”— an audit report reflecting the failure to discover or disclose an audit client’s material misstatements and omissions — is conclusive evidence of auditing malpractice. Auditing malpractice, however, is a failure to comply with Generally Accepted Auditing Standards, and these standards do not ensure the accuracy of the audit opinion in the audit report.
