Recently, the AICPA’s Professional Ethics Executive Committee (PEEC) issued one (1) new interpretation and revised five (5) existing interpretations under the Independence Rule (ET sec. 1.200.001) of the AICPA Code of Professional Conduct (the “Code”). They are:
- Information System Services (ET section 1.295.145) - REVISED
- State and Local Government Client Affiliates (ET section 1.224.020) - REVISED
- Staff Augmentation Arrangements (ET section 1.275.007) - NEW
- Client Affiliates (ET section 1.224.010) - REVISED
- Agreed Upon Procedures (ET section 1.297.020) - REVISED
- Scope and Applicability of Nonattest Services (ET section (ET section 1.295.010) - REVISED This article highlights these changes to the Code’s independence rules.
Information System Services
In June 2019, PEEC adopted a revised interpretation, Information System Services (formerly Information Systems Design, Implementation, or Integration) (ET sec. 1.295.145), which addresses possible self-review and management participation threats related to:
- Design and development services
- Implementation services, which includes installation, customization, integration, interfacing, configuration, and data translation related to commercial “off the shelf” software
- System and network maintenance, support, and monitoring services
Shortly after the COVID-19 pandemic hit, the PEEC agreed to defer the effective date of the revised interpretation for one (1) year, which will now become effective on January 1, 2022.
Design and Development Services
The revised interpretation defines certain terms relevant to information system services (ISS). For example:
- “Designing an information system” means your firm will determine how a system or transaction will function, process data, and produce results to provide a blueprint for the development of software code (programs) and data structures.
- “Developing an information system” means your firm will create software code, which your firm will later test to confirm that the code is functioning as designed.
A firm may not design or develop an information system that is related to an attest client’s financial information system (“FIS”) as those services create self-review threats that impair independence. However, if the General Requirements for Performing Nonattest Services (ET section 1.295.040) (“General Requirements”) are met, a firm may design or develop a system that is not related to the client’s FIS. Financial and nonfinancial systems often interact, so the question of whether proposed nonattest services are related to an FIS may not always be clear. Thus, to evaluate independence, it is critical to understand how the system your firm designs or develops interfaces (or will interface) with the client’s financial reporting and related systems.
The following excerpts appear in the revised interpretation. Under Terminology (paragraph .03):
a. A financial information system (FIS) is a system that aggregates source data underlying the financial statements or generates information that is significant to either the financial statements or financial processes as a whole. An FIS includes a tool that calculates results unless
i. the tool performs only discrete calculations;
ii. the attest client evaluates and accepts responsibility for the input and assumptions; and
iii. the attest client has sufficient information to understand the calculation and the results.
Under Design or Develop an FIS (paragraph .06):
To determine whether a nonattest service is related to an FIS, members should consider all relevant factors, such as whether the nonattest service will affect the following:
- System controls or system output that will be subject to attest procedures.
- A system that generates data that are used as input to the financial statements, including data or information that is either reflected in or used in determining amounts and disclosures included in the financial statements.
- A data-gathering system, such as an analytical or reporting tool, that is used in management’s decision-making about matters that could significantly affect financial reporting.
- A system that is part of the attest client's internal controls over financial reporting, including information systems used to effect internal controls over financial reporting (for example, a system used to ensure that information produced for the financial statements is accurate). However, information systems used only in connection with controlling the efficiency and effectiveness of operations are considered unrelated to the financial statements and accounting records.
It is important to note that a tool that performs only discrete calculations would not be considered an FIS if certain conditions are met. For example, the firm may design a spreadsheet that calculates depreciation expense if the client understands how the tool works and takes responsibility for inputting the appropriate data and evaluating the results.
Implementation services include installation, configuration, data translation, interfacing, and customization services. Many firms work with commercial off-the-shelf software systems (“COTS software”) that are designed and developed by a third party, for example, QuickBooks, Microsoft Azure, or even an SAP enterprise software system are COTS software. A firm meeting the General Requirements may install general ledger COTS software and configure the software to the client’s specifications. However, not all implementation services are permissible. If the firm translates data, designs the interface between the client’s systems, or customizes the COTS software that relates to an FIS, independence would be impaired due to self-review threats.
System and network maintenance, support, or monitoring services related to an attest client’s financial or nonfinancial information system impair independence when they create management participation threats to independence. If the client engages your firm to perform an ongoing function, process, or activity for which your firm has assumed responsibility, your independence is impaired - even if you believe that management has suitable skill, knowledge, or experience to oversee your firm’s services and make all the decisions.
Examples of impermissible post-implementation services include those in which your firm:
- Operates the attest client's network
- Supervises client personnel who operate the client's information systems
- Monitors or maintains the attest client's network
- Operates or manages the attest client’s information technology help desk
- Performs ongoing network maintenance
- Maintains the security of the attest client’s networks and systems
Post-implementation services may be permissible if the services are individually separate, distinct, and not ongoing.
Note: The ISS interpretation applies to all attest services, including those in which the subject matter is not a client's financial statements. Firms should analogize as needed by defining an FIS
as any information system that is subject to the firm’s attest procedures and considering the relevant factors in paragraph .03a of the interpretation.
The AICPA plans to release a practice aid (checklist) that will assist members as they implement the revised standard.
State and Local Government Client Affiliates
In June 2019, the AICPA issued an Official Release, State and Local Government Client Affiliates (formerly “Entities Included in State and Local Government Financial Statements,”) (ET sec. 1.224.020). Like the ISS interpretation, PEEC deferred the effective date of this interpretation for one (1) year, which will now become effective for years beginning after December 15, 2021. The interpretation also includes a terminology section.
State and local governments (“SLGs”) are entities whose financial reporting are governed by the Governmental Accounting Standards Board (GASB) and include general purpose and special purpose governments, including (among others):
- School districts
- Colleges and universities
- Financial authorities
- Public transport systems
Similar to the Client Affiliate rule (ET sec. 1.224.010), the firm must be independent of an affiliate of its SLG financial statement attest client (“FSAC”) even if the firm provides no attest services to the affiliate. An entity is an FSAC when the firm performs a financial statement audit or review or compiles financial statements without disclaiming independence in the report.
Given the unique structure of SLGs and their related entities, the interpretation takes a very different approach than the Client Affiliates interpretation, which applies more broadly to entities like corporations, partnerships, employee benefit plans, and trusts.
The following table describes at a high level the entities that would be considered affiliates of an SLG FSAC:
- “Entity” is broadly defined and can include funds, component units, departments, agencies, programs, organizational units, fiduciary activities, custodial activities, employee benefit plans; it can even include suborganization units of these entities.
- There is a rebuttable presumption that an FSAC has more than minimal influence over the accounting or financial reporting process of the FSAC’s funds and blended component units.
Other elements of the interpretation are:
- An exception applicable to certain nonattest services provided to an affiliate of an FSAC
- A requirement to expend “best efforts” to identify affiliates and take certain actions
- when the firm is unable to obtain needed information (e.g., discuss the matter with those
- charged with governance)
- Guidance on how to determine “more than minimal influence” and materiality
The interpretation also emphasizes that a firm may encounter situations that create threats requiring evaluation under the Conceptual Framework for Independence (ET sec. 1.201.010). Several examples, including the following, are included:
- The firm is considering providing financial information system design services to a nonaffiliate in which the same financial information system would also be used by the FSAC.
- The AICPA released an SLG Client Affiliate Implementation Guide (Guide) to assist members in their understanding and application of the revised interpretation. The Guide includes decision trees, real world examples, an interactive SLG affiliate matrix, and SLG affiliate calculators.
Staff Augmentation Arrangements
In March 2021, the PEEC released Staff Augmentation Arrangements, a new independence interpretation under the Current Employment or Association with an Attest Client subtopic. A staff augmentation arrangement (“SAA”) exists when a firm lends its personnel to an attest client to provide the client additional staffing for a limited period of time. It differs from the typical professional services engagement because the client’s management – not the firm - is responsible for supervising the firm’s personnel (“augmented staff”) and directing the work. The interpretation seeks to address possible familiarity, management participation, advocacy, and self-review threats to independence.
Under the new interpretation, an SAA is permitted only under very limited circumstances, essentially, when the attest client encounters an unexpected situation that creates significant hardship for the client to make other arrangements and certain additional safeguards are met. Generally, the arrangement would be expected to last 30 days or less to help mitigate any threats to the appearance of independence.
Safeguards required under the interpretation are:
- The firm does not expect the SAA to recur.
- The firm’s augmented staff do not participate in and are unable to influence the attest
- engagement covering any period that includes the SAA.
- The firm’s augmented staff only perform activities that are permissible under the
- Nonattest Services subtopic of the Independence Rule.
- The client will designate a person with suitable skill, knowledge, and experience to oversee the augmented staff’s activities and will:
o Determine the nature and scope of the activities;
o Supervise the augmented staff; and
o Evaluate the adequacy of the SAA activities and the findings that result.
Concurrent with this interpretation, PEEC amended three (3) independence interpretations as discussed in the following sections:
PEEC amended the Client Affiliates interpretation to allow firms to enter into SAAs with certain affiliates of a financial statement attest client (“FSAC”). Like most other exceptions available to affiliates, the exception would not apply to affiliates that are reported in the FSAC’s consolidated financial statements. For example:
Company A, an FSAC (e.g., audit client), exercises significant influence over Company B, which is material to Company A and controls Company C (both B and C are affiliates of A). The firm could not have an SAA with B or C unless the arrangement meets the same safeguards and conditions (described above) that apply to A.
However, under the revised Affiliates interpretation, the firm could potentially have SAAs with other types of affiliates such as A’s parent or sister company. To apply the exception, the firm should determine whether significant threats to independence exist, and if so, whether safeguards can sufficiently reduce those threats.
Agreed-Upon Procedures Engagements
A new paragraph in the Agreed-Upon Procedure Engagements Performed in Accordance with SSAEs (ET section 1.297.020.04) interpretation provides a possible exception for attest engagements a firm provides under the Statements on Standards for Attestation Services (SSAEs) follows:
SAAs are delivered as professional services engagements, so to help ensure that members apply the appropriate provisions, PEEC added a reference in the Scope and Application of Nonattest Services (ET sec. 1.295.010) interpretation to the new Staff Augmentation Arrangements interpretation.
The new interpretation and revised related interpretations will be effective on November 30, 2021. Nonauthoritative guidance appears in Frequently Asked Questions: General ethics.
The material in this publication is provided with the understanding that the author and publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. The author and publisher make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and expressly disclaim all liability for any damages arising out of the use of, reference to, or reliance on such material. You may reprint material in this newsletter if it is unaltered and credited to the author and Audit Conduct. If being reproduced electronically, the following link must also be included: www.auditconduct.com. © Copyright 2021 – Audit Conduct, LLC. All Rights Reserved.