The second of a two-part article on the independence considerations audit firms should have in mind as they provide nonattest services to their attest clients. A formatted PDF version of the article is available for download below.
Part 1 of this article examined certain professional services CPA firms are performing for attest clients due to the COVID-19 crisis, emphasizing services related to the Payroll Protection Program (PPP), including loan forgiveness, and cyber-security advisory services. This part summarizes the application of the American Institute of Certified Public Accountants (AICPA) independence rules in the Code of Professional Conduct (Code) to more services, specifically, cash flow management, business continuity and related advisory services, assistance with insurance claims, and tax advisory services. The article will flag areas in the rules when Securities and Exchange Commission (SEC) and/or Public Company Accounting Oversight Board (PCAOB) independence rules would likely limit or prohibit the service, which if permissible, would also be subject to pre-approval by the client’s audit committee.
In all cases discussed below, firms should comply with the General Requirements for Performing Nonattest Services (1.295.040), which requires (among other things) agreement by the client to designate a person with suitable skill, knowledge, and/or experience to oversee the firm’s services, make decisions and judgments, and accept responsibility for the services.
Cash Flow Management Advisory Services
Business shutdowns and slowdowns have forced companies to keep a close eye on cash flow, creating opportunities for firms to assist their clients with cash flow modeling and forecasting. The AICPA Code does not provide explicit guidance on these services, so the practitioner should carefully consider general guidance in 1.295, Nonattest Services (a subtopic under the Independence Rule) and the Code’s Conceptual Framework for Independence (1.210.010), which are described below.
Advisory Services Interpretation
Advisory Services (1.295.105) applies to all advisory services provided to attest clients and is designed to avoid activities that raise significant self-review and management participation threats to independence. Under this interpretation, practitioners can help management make decisions and develop plans and strategies by advising the client and providing research materials and recommendations. The firm may also interpret financial statements, forecasts, or other analyses and attend board meetings in an advisory capacity to assist management.
Management Responsibilities Interpretation
The Management Responsibilities Interpretation (1.295.030) provides a general description of the term and several examples, as the cardinal rule for maintaining independence when performing nonattest services is to avoid all such activities. Applying this interpretation to cash management services, firms should be careful to not:
set policy or strategic direction for the attest client
decide which recommendations the client should implement or prioritize
report on behalf of management to those charged with governance
accept responsibility for preparing the attest client’s financial statements
perform monitoring activities that are ongoing evaluations of the client’s internal control
To achieve this, the client’s designee - a suitably skilled and knowledgeable person acting for the client – should determine the assumptions, estimates, and judgments used in any modeling or forecasting activities and take responsibility for any produced reports.
Conceptual Framework for Independence
The conceptual framework approach is embedded in the Code and is required and useful in evaluating threats to independence when explicit guidance does not exist. Depending on the specifics, if the client engages the firm to assist in developing a cash forecast or projection, self-review, management participation, and/or advocacy threats could exist. These may be summarized as follows:
Self-review threat: threat that the firm will fail, when performing audit or other attest services, to appropriately review the firm’s own work product from a nonattest service
Management participation threat: threat that the firm will take on the role of management or perform a management responsibility
Advocacy threat: threat that promoting the client’s interests or position will compromise independence
If one or more threats exist, the next consideration is whether the threat is significant. A significant threat to independence is not at an acceptable level if a reasonable and informed third party (e.g., investor or lender) would likely question the firm’s independence. When a threat is significant, the firm must apply safeguards to eliminate the threat completely or at a minimum, reduce the threat to an acceptable level. Otherwise, the firm should not perform the nonattest services – or should decline to continue performing attest services.
Determining significance. The significance of the threat will depend on a variety of factors, including (for example) how closely involved the firm will be in developing the projection or forecast and how the client will use the services. For example, threats may be viewed as less significant if the firm’s deliverable will only be used internally by management as a basis to improve operational effectiveness, or more significant if the firm’s deliverable will support the client’s capital-raising or borrowing activities. Likewise, the greater the firm’s impact on the client’s reports, the greater the threats may be. Consider both quantitative and qualitative aspects of the environment – for example, whether the client’s viability depends on obtaining new funds from lenders or investors. The key question is this: would the reasonable and informed third party believe the auditor can maintain its independence in these circumstances?
NOTE: If the attest client is subject to SEC and/or PCAOB independence rules, firms should evaluate the services under the SEC’s general standard of independence and four (4) overarching principles shown in the blue box below. The appearance of independence to a reasonable and informed investor should prevail. The SEC’s Management Functions rule also prohibits the auditor from performing any decision-making, supervisory, or ongoing monitoring function for the client. Further, given the connection of these services to financial reporting and the SEC’s total ban on such, these services likely will be prohibited or severely limited.
If the firm would design or develop a technology solution (for example, an analytical tool) to help the client manage cash flow, consider a recently revised independence interpretation, “Information System Services” (1.295.145). To avoid a self-review threat that impairs independence, the practitioner should determine whether that service is related to the client’s financial information system (FIS). Designing or developing a client’s FIS impairs independence. Excerpts from the interpretation appear below:
a. A financial information system (FIS) is a system that aggregates source data underlying the financial statements or generates information that is significant to either the financial statements or financial processes as a whole. An FIS includes a tool that calculates results unless
i. the tool performs only discrete calculations;
ii. the attest client evaluates and accepts responsibility for the input and assumptions; and
iii. the attest client has sufficient information to understand the calculation and the results.
To determine whether a nonattest service is related to an FIS, members should consider all relevant factors, such as whether the nonattest service will affect the following:
a. System controls or system output that will be subject to attest procedures.
b. A system that generates data that are used as input to the financial statements, including data or information that is either reflected in or used in determining amounts and disclosures included in the financial statements.
c. A data-gathering system, such as an analytical or reporting tool, that is used in management’s decision-making about matters that could significantly affect financial reporting.
d. A system that is part of the attest client's internal controls over financial reporting, including information systems used to effect internal controls over financial reporting (for example, a system used to ensure that information produced for the financial statements is accurate). However, information systems used only in connection with controlling the efficiency and effectiveness of operations are considered unrelated to the financial statements and accounting records.
NOTE: Under SEC independence rules, a firm may not design or implement software that aggregates source data underlying the client’s financial statements or generates information that is significant to the financial statements or other financial information systems taken as a whole. Additional considerations included in the AICPA interpretation discussed above do not apply to engagements subject to SEC and/or PCAOB rules. Only very limited advice, for example, on best practices with respect to a client’s existing cash flow model, may be permissible if the firm complies with the general standard of independence and four (4) overarching principles, and the advice relates to the client’s existing processes and procedures.
Business Continuity and Related Advisory Services
Like cash management advisory services, firms have been called upon to advise clients on potential strategies to help ensure continued viability through a restructuring and/or bankruptcy or other strategy. Again, practitioners may look to the Conceptual Framework, Advisory Services, and Management Responsibilities interpretations as no explicit guidance exists in the Code on these services. As always, obtain the client’s agreement to assign a knowledgeable person who can perform all management responsibilities.
Consider possible self-review threats, for example:
Will the firm design a financial projection or prepare a valuation that supports the client’s restructuring?
o Will the client’s designee determine the inputs and assumptions used in the projection?
o Is the valuation of a subjective nature and will it be material to the client’s financial statements? (If so, see 1.295.110)
Will the client’s audit opinion likely include a “going concern” modification?
Is the client likely to be in a situation where significant assets are impaired?
Will the audit team, in fact or appearance, be able to appropriately evaluate the results of the firm’s services when forming audit judgments?
Consider possible advocacy threats, for example:
Will the firm’s personnel negotiate on the client’s behalf with the client’s creditors or others?
Is the matter urgent, e.g., is the client under significant pressure to restructure or obtain additional financing just to survive?
Consider possible management participation threats, for example:
Will the client expect the firm to determine which strategy the client should take – either at a micro (specific actions) or macro (overall direction) level - to prevent bankruptcy or other negative outcomes?
Some of the above concerns may be overcome with safeguards, while others – as indicated in the Management Responsibilities interpretation and the Conceptual Framework – cannot. For example, a practitioner may assist client management in a negotiation process if the client is also present. However, it’s important to consider the impact of the practitioner’s presence and participation may have on other attendees in the meeting, particularly those relying on the information being presented by the client.
NOTE: Given the strategic nature of the services, and association with the client’s financial reporting and viability, business continuity and related advisory services will likely be prohibited or severely limited for engagements requiring SEC or PCAOB independence.
Assistance with Insurance Claims
A big part of a company’s financial recovery from the impact of COVID may hinge on its ability to recover from such losses through insurance. Firms typically assist clients with insurance claims as a forensic accounting service. Forensic Accounting Services (1.295.140) provides independence guidelines to firms providing investigative and litigation support services to attest clients, essentially limiting such services to fact finding and analysis without the appearance of advocacy. These services are generally permitted but if litigation arises in connection with an insurance claim, be aware that expert services raise unacceptable advocacy threats, and impair independence, so this possibility should be considered and monitored.
NOTE: If the attest engagement is subject to SEC and/or PCAOB independence rules, firms should evaluate the services given the SEC’s general standard, Management Functions rule, and four (4) overarching principles. SEC rules include a similar proscription for expert services as the Code. Under no circumstances should the firm prepare insurance forms on the client’s behalf.
Tax Strategy Advisory Services
Though tax compliance services are addressed in 1.295.160, firms should evaluate tax strategy advisory services under the Advisory Services, Management Responsibilities, and Conceptual Framework interpretations, as previously discussed. Contingent fee arrangements are problematic unless they meet the provision in 1.510.010, Tax Matters, under the Contingent Fees Rule.
That provision allows a practitioner to receive a contingent fee for performing tax services when it’s reasonably assured that the government will review the information and make a substantive determination as to the outcome (e.g., success and/or amount of a tax credit). This takes the determination of the “performance-based” fee out of the practitioner’s hands, negating any possible (or perceived) self-interest threat to objectivity.
NOTE: SEC and PCAOB independence rules do not address tax strategy services, so the general standard, principles and Management Functions rule should guide the evaluation. For example, the outcome of the tax strategy engagement should not form the basis of the client’s tax provision or other financial reporting, which would result in a “self-audit” proscription. The firm should not develop the strategy that the client will implement, which would place the firm in a management role. In addition, the SEC rules do not provide the exception for receipt of a contingent fee in the situation just described.
Practitioners should adopt a proactive approach to prevent “scope creep” - the delivery of different or additional services to the client than those initially agreed upon. A good practice is to include language in the firm’s engagement letter with the client that (i) acknowledges the possibility, and (ii) requires change orders or similar agreements before any additional or amended services are provided. The agreement should specify that all additional or amended services must be in accordance with applicable independence standards. Of course, an agreement alone is not enough. To avoid scope creep in practice, the engagement team must have a clear understanding of the services, activities to be avoided, and the deliverables. If the client requests additional services or otherwise changes the scope of the engagement, the team should inform the attest partner immediately (and possibly engage the firm’s independence resources) to determine whether those services will impact independence. Lacking these protocols, scope creep can easily seep into an engagement and in some cases, impair the firm’s independence. Once that occurs, it’s too late and the firm may need to deal with an independence breach.
Though not specifically addressed in this article, a few other interpretations in 1.295 of the Code may be relevant in evaluating independence during the COVID crisis:
1.295.020 Cumulative Effect on Independence When Providing Multiple Nonattest Services
1.295.110 Appraisal, Valuation, and Actuarial Services
1.295.130 Corporate Finance Consulting
1.295.143 Hosting Services
The material in this publication is provided with the understanding that the author and publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. The author and publisher make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and expressly disclaim all liability for any damages arising out of the use of, reference to, or reliance on such material. You may reprint material in this newsletter as long as it is unaltered and credited to the author and AUDIT CONDUCT. If being reproduced electronically, the following link must also be included: www.auditconduct.com.