In June 2019, the American Institute of Certified Public Accountants (AICPA) issued a revised independence interpretation, “Information System Services,” which replaces “Information Systems Design, Implementation, or Integration” (ET sec. 1.295.145) in the Code of Professional Conduct. The AICPA’s Professional Ethics Executive Committee (PEEC) adopted the revised rule at its May 2019 meeting, which followed numerous discussions about the revisions proposed by the Information Technology and Services Task Force, of which the author is a member.
Information system services (ISS), which includes both financial and non-financial systems, raise possible self-review and management participation threats to independence. And while the interpretation identifies threats in terms of the impact on an attest client’s financial statements or processes, the interpretation applies to all attest engagements, even when the subject matter is not a set of financial statements. As stated, “In these cases, the member should define a financial information system as any system that is subject to the member’s attest procedures considering the relevant factors in paragraph .03a” (discussed in the next section).
Understanding Key Terms
The interpretation defines key terms, with the most critical being the “financial information system” (FIS). An FIS is a system that aggregates source data underlying the financial statements or generates information that is significant to the client’s financial statements or financial processes as a whole. An FIS would not include a software tool that performs only discrete calculations reflected in the financial statements, for example, generates amortization or depreciation schedules. However, the attest client’s personnel must evaluate and accept responsibility for the tool’s inputs and assumptions (e.g., useful lives) and have enough information to understand the calculation and the results.
Other key terms include:
Designing an information system
Developing an information system
Commercial off-the-shelf (COTS)
How should I determine whether an ISS is related to an FIS?
Members (that is, practitioners) should consider all relevant factors, such as whether the ISS would affect:
System controls or outputs that will be subject to the firm’s attest procedures (for example, consolidated balances that become part of the financial statements);
A system that generates data used as input to the financial statements (for example, a payables system), including information reflected in or used in determining financial statement amounts and disclosures;
A data-gathering system used to make decisions that could significantly impact financial reporting (for example, an analytical tool); and
A system that is part of the attest client's internal controls over financial reporting, including information systems used to effect internal controls over financial reporting (for example, application controls that help ensure the integrity of financial statement data).
Which types of ISS impair independence?
As in all nonattest services provided to attest clients, members must meet the general requirements of the "Nonattest Services" subtopic (1.295.040) to perform ISS. Three types of ISS, discussed next, are addressed in the interpretation: (1) design and development; (2) implementation; and (3) system and network maintenance, support and monitoring.
Design and Development
Designing an information system means a member determines how a system or transaction will function, process data, and produce results, which provides a blueprint for the development of software code (programs) and data structures. A member who develops an information system creates software code and then tests the code to confirm it is functioning as designed.
Designing or developing an information system that relates to an FIS (or other subject matter of the attest engagement) impairs independence. Self-review and management participation threats to independence would not be at an acceptable level and could not be reduced to an acceptable level by applying safeguards. However, a member’s firm may design or develop a system that is not related to an attest client’s FIS (or other subject matter of the attest engagement) if the general requirements of 1.295 are met.
Implementing an information system means a member installs, configures, interfaces, customizes, or translates data; these services occur after the system is designed and developed but before it is available to the client for use on a regular basis. When a third-party vendor (that is not the member’s firm) designs and/or develops the software, the interpretation refers to the software as a “commercial off-the-shelf” or “COTS” solution. A COTS solution runs on a company’s computers or third-party vendor’s “cloud” infrastructure and ranges from simple, ready-to-install software packages to large-scale, complex enterprise applications. Like design and development services, implementing a system that is unrelated to a client’s FIS (or other subject matter of the attest engagement) does not impair independence if the general requirements of 1.295 are met.
Implementing a COTS Solution
If a member implements a COTS solution related to an attest client's FIS (or other subject matter of the attest engagement), independence may still be maintained if the member does not perform design or development services, as described in the following table:
System and Network Maintenance, Support, and Monitoring
Post-implementation system or network maintenance, support, or monitoring services may raise independence concerns, primarily management participation threats. For example, an attest client should not outsource to the member an ongoing function, process, or activity that allows the member to assume a management responsibility, which impairs independence. Examples include services in which the member:
operates an attest client's network;
supervises personnel operating the client's information system(s);
monitors or maintains the attest client's network performance;
manages the client’s information technology (IT) help desk;
performs ongoing network maintenance; or
maintains security for the client’s networks or systems.
Services generally would be permissible if they:
do not involve an outsourced function, process, or activity;
are separate and distinct;
are not performed on an ongoing basis; and
meet the general requirements of 1.295.
Examples include services in which the member:
analyzes an attest client’s network and provides observations or recommendations to the client;
applies virus protection solutions or updates that the member did not design or develop;
applies certain updates and patches that the member did not design or develop;
provides advice, training, or instruction to the client on a new software solution; or
evaluates the design or operating effectiveness of an attest client’s security over IT security policies or practices.
The revised interpretation becomes effective January 1, 2021 and early implementation is allowed. Members implementing the new rules are encouraged to contact the AICPA Ethics Division with questions at firstname.lastname@example.org.