In April 2023, the International Ethics Standards Board for Accountants (IESBA or Board) issued important new changes to the International Code Ethics for Professional Accountants (including International Independence Standards) (the Code). The Board also released its proposed Strategy and Work Plan (SWP) for 2024 – 2027. This article discusses the substantive changes to the independence provisions in the Code applicable to audit clients (i.e., Part 4A); A high-level summary of the Board’s proposed SWP is also provided.
Technology & Auditor Independence
In December 2022, the IESBA unanimously approved proposed technology-related revisions to the Code. The Public Interest Oversight Board (PIOB) approved the revisions, and IESBA released a final pronouncement, Technology-related Revisions, in April 2023. A Basis for Conclusions (BFC) document is also available.
The revisions guide the ethical conduct of professional accountants (PAs) who provide professional services in an environment that is constantly evolving due to technology, and address the following:
• Professional competence and due care
• Application of the Conceptual Framework
• Independence for Audit and Review Engagements
• Independence for Assurance Engagements Other than Audit and Review Engagements
Technology & Independence
Updates to Part 4A, Independence for Audit and Review Engagements, appear in Section 400, Applying the Conceptual Framework to Independence for Audit and Review Engagements, Section 520, Business Relationships, and Section 600, Provision of Non-assurance Services to an Audit Client.
Prohibition of Assuming Management Responsibilities. 400.16 A1 clarifies that the use of technology in performing a professional activity for an audit client requires PAs to do the following regardless of the nature or extent of such use: (i) avoid assuming management responsibilities for the client (R400.15) and (ii) ensure that client management will provide competent oversight of the engagement by agreeing to make all decisions and judgments related to the service (R400.16).
Business Relationships. Section R520.4 of the Code states that, “a firm, a network firm or an audit team member shall not have a close business relationship with an audit client or its management unless any financial interest is immaterial and the business relationship is insignificant to the client or its management and the firm, the network firm or the audit team member, as applicable.” 520.3 A3 adds as an example of a close business relationship, an arrangement in which a firm or network firm licenses products or solutions (e.g., software as a service) to or from an audit client. However, Buying Goods or Services (520.6 A1), adds that purchasing goods or services from an audit client does not typically create a threat to independence if a firm, network firm, audit team member, or their immediate family purchase the client’s goods or services in an arm’s length transaction made under normal terms and conditions. However, the nature or magnitude of the transaction could raise a self-interest threat that should be evaluated.
Intended to prompt PAs, 520.7 A1 notes that when firms provide, sell, resell, or license technology to an audit client, or to an entity that uses that technology when providing services to audit clients of a firm or network firm, they should consider the non-assurance services (NAS) provisions in Section 600. As a result of the comment process, the Board clarified that the applicability of these provisions would depend on the particular facts and circumstances.
NAS - Automated accounting and bookkeeping services. Auditors of non-public interest entities may perform accounting and bookkeeping services, including financial statement preparation, for an audit client if the services are routine or mechanical and the PA has determined that threats to independence are at an acceptable level. Services are routine or mechanical if: (i) the client makes the necessary judgments and decisions with respect to the information the PA uses to perform the services; and (ii) the services require little or no professional judgment to perform.
Automated accounting and bookkeeping services do not mean the services are routine or mechanical. That is, whether a human being or a machine performs the services, management responsibilities are still possible and prohibited. 601.5 A2 provides the following factors PAs should consider in determining whether an automated service is routine or mechanical:
• The activities the technology performs,
• the output of the technology, and
• whether the technology provides an automated service that is based on or requires the firm or network firm’s expertise or judgment.
NAS - Information technology (IT) design, development, implementation, and post-implementation services. The revisions expand the types of IT system services that cause firms to assume a prohibited management responsibility. For example, 606.3 A1 states that hosting data on behalf of an audit client causes the firm to assume a management responsibility. Whether directly, via the firm’s server, or indirectly via a cloud provider’s platform, the firm should not be the sole access point to the client’s financial or non-financial data or systems. Data hosting also results when the firm takes custody or stores the client’s data, leaving the client’s data and records incomplete. Furthermore, the firm should not provide electronic security or backup services, e.g., a business continuity or disaster recovery function, for the audit client’s data or records. Operating, maintaining, or monitoring an audit client’s IT systems, networks, or websites also results in a prohibited management responsibility.
Revisions to the ethics provisions (Parts 1, 2, and 3 of the Code) will be effective on December 15, 2024.
With respect to the independence provisions:
• Revisions to Part 4A will be effective for audits and reviews of financial statements for periods beginning on or after December 15, 2024.
• Revisions to Part 4B in relation to assurance engagements with respect to underlying subject matters covering periods of time will be effective for periods beginning on or after December 15, 2024; other revisions will be effective on December 15, 2024.
The SWP lists several proposed strategic drivers, which informed the Board’s strategic themes for its proposed work plan. Among other things, the environmental and operational drivers include fast-growing demand for sustainability information that is reliable and comparable and subject to assurance services; the expanding role of senior PAs in business (PAIBs) such as CFOs; a global trust crisis due to recent, large public company failures; and pressure on IESBA to issue standards more timely. The ongoing and rapid transformation due to technology and operability and global acceptance of the IESBA Code also influenced the Board’s strategic themes.
An excerpt from the proposed SWP shows the strategic themes below:
IESBA noted several projects they have already committed to do, including sustainability (independence and ethics standard-setting), which is being fast-tracked along with a project on the use of experts. The Board has also agreed to consider collective investment vehicles, pension funds, and investment company complexes and perform a post-implementation review of the Noncompliance with Laws and Regulations (NOCLAR) provisions in the Code.
New Work Streams Being Considered
A brief summary of the primary questions that would likely be addressed in each of the above potential work stream follows:
Role of CFO and other Senior PAIBs – Do Parts 1 and 2 of the Code need further enhancements to address the evolving roles of senior PAIBs?
Business relationships – Does section 520 under Part 4A sufficiently address the types of business arrangements that firms are entering into with their audit clients?
Audit firm / Audit client relationship – Is use of the term “audit client” appropriate? Or should the term “audited entity” (or a similar term) be used since the ultimate beneficiaries of audit services are the entity’s owners and shareholders?
Definitions – How can IESBA align the terms used in the Code with similar terms used in the standards of the International Auditing and Assurance Standards Board (IAASB)? Are the Code’s terms sufficiently clear?
Communication with those charged with governance (TCWG) - Should IESBA incorporate provisions addressing communication with TCWG into the Code more generally to strengthen the concepts of transparency and accountability?
In this section, IESBA acknowledged that “whether any work streams will result in standard-setting projects will depend on due fact finding and consultation with stakeholders and establishing an evidential basis for standard-setting work. In some circumstances, the IESBA might determine that the most appropriate way to address identified issues would be through means other than developing new or revised standards, for example, by commissioning non-authoritative guidance material.”
Comments are due by July 7, 2023.
The IESBA’s next meeting will take place in New York City on June 12 – 16, 2023.