Last week, the staff of the International Ethics Standards Board for Accountants (IESBA) and the Accounting Professional & Ethical Standards Board (APESB) jointly issued nonauthoritative guidance on how to apply recently adopted international independence standards to technology-related services.
Summary
Relevant provisions. The publication provides a brief introduction followed by a summary of the relevant provisions in Part 4A of the International Code of Ethics for Professional Accountants (including International Independence Standards) - the IESBA Code. Specifically, a firm or network firm (firm) should not assume any management responsibilities, including, for example, hosting an audit client’s data or operating a client’s information technology (IT) systems. Among other things, the firm should be assured that management will assume full responsibility for its IT and internal control systems and make all management judgments and decisions with respect to the firm’s non-assurance services (NAS).
The summary emphasizes that, before a firm can accept an engagement to perform a permissible NAS for an audit client, the firm must identify and evaluate threats to independence by applying the conceptual framework. If threats are not at an acceptable level, the firm must apply safeguards to reduce such threat(s) to an acceptable level; if safeguards are not available or sufficient, the firm should not accept the NAS work. A key threat to examine is the self-review threat, which means there is risk that: (i) the results of the NAS will impact or form part of the accounting records, financial statements, or internal controls over financial reporting, and (ii) the audit team will evaluate or rely on the NAS work performed by the firm. Under the recently revised NAS provisions, a firm may not perform NAS for a Public Interest Entity (PIE) audit client when a self-review threat exists. Auditors of non-PIEs should consider certain factors such as the extent to which the NAS will impact or interact with the client’s financial statements and the degree of reliance the client will place on the IT system(s) as part of its audit. If threats are significant, the auditor should determine whether safeguards may mitigate the threat(s) to an acceptable level.
Indirect services. The summary also discusses “indirect services,” a term that does not appear in the revised independence provisions. The example provided is as follows: a firm sells software it has developed to a non-audit client. The client uses the software internally. Depending on the specifics (e.g., software’s functionality and the results it generates), indirect services could create a self-review threat that would preclude the firm from selling its software to a PIE audit client. If the non-audit client uses the firm’s software when providing services to its (the client’s) customers, the firm should identify and evaluate the level of self-review threat that might be created and determine whether safeguards might reduce such threats to an acceptable level. Similarly, a firm may engage in a close business relationship with another entity that sells or licenses technology to a client and this too should be considered under Section 600, Provisions of Non-assurance Services to an Audit Client.
IT system services. Examples of IT system services that may create a self-review threat include designing, developing, monitoring, supporting, or upgrading an audit client’s IT system(s) and implementing accounting software developed by the firm or a third party. IT systems include a client’s cybersecurity systems, and network and software applications. A relevant factor to consider in identifying and evaluating threats to independence is the client’s dependency on the NAS and the frequency of the service. If, for example, a client relies on a firm’s frequent cybersecurity assessments, and the client uses these assessments to support strategic decisions or to execute internal controls, the risk of self-review threats or assuming a management responsibility increases.
Scenarios. The final section of the publication provides three (3) scenarios that illustrate the application of recently adopted international independence standards, in particular, Technology-related Revisions. The scenarios are as follows:
• Firm would design and implement IT systems, including IT related internal controls, for an audit client to better integrate sales and purchases with the general ledger.
• Firm would license IT software to assist an audit client in applying IFRS 17 (accounting for insurance contracts) and provide ongoing software support services.
• Firm would use software to perform bookkeeping services and prepare financial statements for an audit client.
For each scenario, the publication outlines some key considerations when applying the IESBA Code, including, for example, the risk of assuming a management responsibility, identifying and evaluating threats to independence, and specific prohibitions for PIE and non-PIE audit clients.
Closing
All told, this jointly issued guidance provides helpful information to firms performing technology-related services for audit clients.
