One primary responsibility of the AICPA’s Professional Ethics Executive Committee (PEEC)1 is to monitor and, when necessary, change the Code of Professional Conduct (Code). The reasons for amending the Code include changes in professional practice, changes to the International Code of Ethics for Professional Accountants (including the International Independence Standard), or concerns about the existence or clarity of the rules’ interpretations. Before PEEC publishes changes to the Code in the Journal of Accountancy’s Official Releases, the Committee exposes the changes and its rationale to allow members and others to comment. Before issuing a final pronouncement, the PEEC carefully considers and discusses any comments in meetings open to interested parties.
PEEC adopted the following changes to the independence interpretations, which will go into effect on January 1, 2023:
- Information System Services
- Loans, Acquisitions, and Other Transactions
- Unpaid fees
- Assisting Clients with Implementing Accounting Standards
- In this first of a four-part series, I will briefly discuss changes to the Information System Services interpretation, and reference accompanying nonauthoritative guidance.
Information System Services
In May 2019, the PEEC adopted “Information System Services,” (ISS) which supersedes “Information Systems Design, Implementation, or Integration” (ET sec. 1.295.145). PEEC has deferred the effective date of the interpretation twice, first due to COVID-19, and then to allow for an educational effort.
ISS addresses possible self-review and management participation threats related to (i) design and development, (ii) implementation, and (iii) system and network maintenance, support, and monitoring services.
Terminology
The interpretation defines certain terms relevant to ISS, for example:
- “Designing an information system” means your firm will determine how a system or transaction will function, process data, and produce results, providing a blueprint for the development of software code and data structures.
- “Developing an information system” means your firm will create software code for one or more modules and test that code to confirm that it is functioning as designed.
- “Commercial off-the-shelf” means software that is developed, distributed, maintained, and supported by a third-party vendor, which includes software that runs on a client’s computers or on a third-party vendor’s “cloud” infrastructure.
Information System Design or Development
If a firm designs or develops a financial information system (FIS) for an attest client, independence is impaired due to the significant self-review threat. An FIS includes a system that aggregates source data underlying the client’s financial statements or generates information that is significant to its financial statements or processes. If however, the firm will avoid performing management responsibilities and meets the other general requirements for performing nonattest services, the firm can design or develop a system that is not related to an attest client’s FIS.
Whether nonattest services are related to an FIS or not is a key question and the answer is not always clear. For example, a firm may perform services on an operating system that feeds data to an FIS. Therefore, to apply this interpretation, a firm needs to understand how the system will work and interact with other systems.
An FIS excludes a tool that performs only discrete calculations if the attest client:
- evaluates and accepts responsibility for the input and assumptions; and
- has sufficient information to understand the calculation and the results.
- To meet this exception, the tool should incorporate calculations that are straightforward and impact only a narrow and specific part of an attest client’s financial statements. For example, the firm may design a spreadsheet that calculates depreciation expense if the client understands how the tool works and takes responsibility for inputting the appropriate data and evaluating the results.
Implementation
Implementation services include installation, configuration, data translation, interfacing, and customization services. Firms may assist clients by implementing COTS software systems that are designed and developed by a third party, for example, Intuit’s QuickBooks, Microsoft’s Azure, or an SAP enterprise software system. A firm meeting the general requirements may install COTS software related to an FIS (e.g., general ledger system) and configure the software to the client’s specifications. A firm may also implement a third-party vendor’s application, such as an application programming interface (API), to interface data from one system to another (connect two or more systems by passing data from one system to another) or provide data translation services to convert legacy system data to a format compatible with the new system. However, not all implementation services are permissible. If a firm designs or develops the software that translates data or provides the interface between the client’s systems, or customizes COTS software that relates to an FIS, independence would be impaired.
Post-implementation Services
Lastly, ISS addresses information system and network maintenance, support, or monitoring services. Whether an FIS or not, these services impair independence if your firm assumes management’s responsibility for an ongoing function, process, or activity. Examples include:
- Operating the client's network
- Supervising client personnel involved in operating the systems
- Monitoring network performance
- Performing ongoing network maintenance, such as updating virus protection solutions or applying routine updates and patches
- Operating the client’s information technology (IT) help desk
In such cases, safeguards cannot reduce the management participation threat to an acceptable level, even if you believe your client has suitable skill, knowledge, and experience to oversee the service and make decisions.
If services are individually separate, distinct, and not ongoing and your firm complies with the general requirements, you may:
- Analyze a network and provide recommendations
- Apply a third party’s virus protection solutions, software updates, or patches on an ad-hoc basis
- Provide advice, training, or instruction on a software solution
- Assess the design or operating effectiveness of an attest client’s security over IT systems or security policies
Note: The ISS interpretation applies to all attest services, including those in which the subject matter is not a client's financial statements. Firms should consider the relevant factors in paragraph .03a of the interpretation to determine whether the proposed services would relate to an information system that will be subject to the firm’s attest procedures (that is, equivalent to an FIS).
Nonauthoritative Guidance
The Code is the only authoritative source of AICPA ethics rules and interpretations; however, the Professional Ethics Division (Division) often publishes nonauthoritative guidance to help members and others understand and implement new and revised interpretations. To date, the Division has published the following guidance:
- Practice Aid: Independence considerations for information systems services
- The ISS Practice Aid helps a user assess whether ISS are related to an FIS or meet the discrete tool exception, and whether design, development, implementation, or post-implementation services impair independence. Completing the evaluation can serve as documentation of the assessment.
- Ethically Speaking Podcasts: ISS
The following episodes provide brief discussions on ISS:
#57 – Technology and ethical independence: where are the lines?
#58 – Client help desks and ethical independence
#59 – Can software patches for your clients impair independence?
Frequently Asked Questions: Nonattest Services
The Online Ethics Library, Q&A section 250 includes new frequently asked questions (FAQs) addressing such topics as help desk services, “hypercare,” and network maintenance and will include others on data- gathering systems, cybersecurity, and period of impairment shortly.
The ISS interpretation becomes effective January 1, 2023, and early implementation is allowed.
The material in this publication is provided with the understanding that the author and publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. The author and publisher make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and expressly disclaim all liability for any damages arising out of the use of, reference to, or reliance on such material. You may reprint material in this newsletter if it is unaltered and credited to the author and Audit Conduct. If being reproduced electronically, the following link must also be included: www.auditconduct.com. © Copyright 2022 – Audit Conduct, LLC. All Rights Reserved.