Nonattest Services & Independence in the Age of COVID-19, Part 1

Note: A PDF of this article is available below.

A recent poll by Inovautus Consulting, Growth Outlook Amid COVID-19 indicated that 55 percent of accounting firms created and launched new professional services as a result of the COVID-19 crisis. Other polls, including our own, have indicated that the nonattest (advisory and tax) services many firms are providing (or have provided) to their clients during the pandemic include:  

• CARES Act advisory services, including assistance with the federal Payroll Protection Program (PPP) and PPP loan forgiveness

• Cyber-security consulting

• Cash flow management advisory services

• Business continuity / bankruptcy / restructuring consulting

• Assistance with insurance claims

• Tax strategy consulting

This article, which will be published in two parts, summarizes the application of the independence rules when these services are provided to an attest client. The article will focus on the independence rules of the American Institute of Certified Public Accountants (AICPA’s) Code of Professional Conduct but note where the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) independence rules require additional consideration.

Prior to performing nonattest services, practitioners should comply with the General Requirements for performing Nonattest Services  in ET 1.295. 040 in the AICPA Code of Professional Conduct (general requirements). To avoid management responsibilities, firms must first reach agreement with the client on the appropriate division of duties during the engagement. Key to this is ensuring that the client will designate a person with suitable skill, knowledge, and/or experience to oversee the nonattest services and make all management decisions and judgments during the engagement.


Many firms have been providing advisory services related to the CARES (“Coronavirus Aid, Relief, and Economic Security”) Act, mostly in connection with PPP loan applications and subsequent loan forgiveness.  Governments imposed emergency “lock-downs” to control the spread of the virus and Congress was quick to provide aid to the unemployed and to impacted (mostly) small businesses. Given the speed of the effort, interpretations on how to apply the law – including the PPP loan provisions – have been changing and taken months to sort out. CPA firms have stepped in to help their clients interpret the myriad regulations and guidance emerging since April.  

Assistance with PPP Applications

A primary objective of the CARES Act was to help companies endure the pandemic lock-down period and keep their pre-COVID workforce intact. PPP loans, issued by the U.S. Small Business Administration (SBA), were designed to help small businesses avoid laying off workers and going under during the crisis. The deadline for applying for a PPP loan expired in early August, but many are hoping that Congress will issue new legislation to extend the program since business – like life - has not yet returned to normal. The following questions and answers are based primarily on guidance the AICPA’s Professional Ethics Division released in April:

Can I prepare the PPP loan application for my attest client?

The bulk of the PPP loan application seeks representations that either the client or its legal representative should complete. The form requires minimal financial information, so practitioners can advise their attest clients on the information needed and help them determine the amounts to include in the form but should not complete the form for them. Preparing the application and signing as an attest client’s representative creates significant management participation and advocacy threats to independence. Further, SBA regulations seem to indicate that a professional who prepares an application for financial assistance with the SBA is acting as an “agent” or “authorized representative” for the applicant, another reason for avoiding such activities.

May I receive an “agent’s fee” for helping to prepare an attest client’s PPP application?

Though called an “agent’s fee,” in April, the AICPA’s Professional Ethics Executive Committee (PEEC)   concluded that it was not a prohibited contingent fee (ET sec. 302) because (i) the SBA determined the loan amount based on an objective formula, (ii) its intent was to fund all qualifying entities’ loans, and (iii) the US Treasury determined the fee. (Note: I was appointed to PEEC in May 2020. All views expressed in this article are my own and do not represent positions of PEEC or the AICPA.) 

May I help my financial institution attest client (PPP lender) process PPP loan applications?

The AICPA Code does not specifically address this type of service, so firms should apply the Conceptual Framework for Independence (ET sec. 1.210.010) in addition to the general requirements. To maintain independence, firms must avoid performing management responsibilities such as authorizing transactions or performing activities that are part of the client’s internal controls over financial reporting.  

NOTE: If the lender is an insured depository institution subject to Section 36 of the FDIC Improvement Act (FDICIA), the auditor must comply with SEC and PCAOB independence rules, in addition to the AICPA Code. Therefore, if the lender is subject to FDICIA or otherwise subject to SEC and PCAOB rules, firms should consider the SEC’s general standard in Rule 2-01, Qualifications of Accountants, which emphasizes the appearance of the firm’s independence to a reasonable and informed investor, and the four (4) overriding principles. Those principles state the following:

SEC General Standard / Principles

SEC and/or PCAOB rules would likely prohibit or severely limit the assistance firms can provide due to application of the above principles, including the proscription on acting as management or an employee of the audit client.

Can my firm lend staff to a financial institution attest client to help the client process PPP loan applications?

The AICPA Professional Ethics Division released a podcast in April that addressed various ethics issues related to PPP loan services. On this topic, the AICPA staff noted that practitioners should not rely on an Exposure Draft (ED), Staff Augmentation Arrangements, as PEEC has not adopted the proposed interpretation. (Note: In August, the PEEC agreed to issue a revised, more restrictive version of the ED.) Instead, the staff recommended that practitioners apply the Code’s Conceptual Framework for Independence to determine whether the arrangement impairs independence. Relevant considerations in the Conceptual Framework include:

  • Avoidance of self-review, familiarity, advocacy, and management participation threats, both in fact and in appearance. For example, augmented staff should not supervise the client’s employees or perform tasks that are part of the client’s internal controls, which would create significant management participation threats.
  • Determining whether applying appropriate safeguards may mitigate threats to independence, e.g., augmented staff will not perform attest services covering any periods in which they served as augmented staff or an independent professional (internal or external to the firm) will perform a second review of the firm’s work product. A lack of sufficient safeguards would preclude the auditor from performing this service for an attest client.

NOTE: Auditors of lenders subject to FDICIA, SEC and/or PCAOB rules should not augment their clients’ personnel; the SEC has clearly stated that lending staff to an audit client is a prohibited employment activity that impairs independence.

Assistance with PPP Loan Forgiveness

Many CPA firms, including those that assisted attest clients with PPP loan applications, have been or may be asked to help their clients determine whether all or part of their loans can be forgiven under SBA guidelines. Also, PPP lenders have sought assistance tracking PPP loan applications.

Answers related to these issues are summarized below:

May a firm give a financial institution attest client (PPP lender) a firm-developed template, (e.g., EXCEL spreadsheet) to track loan forgiveness?

In the previously-mentioned podcast, the AICPA staff advised firms to consider a recently revised independence interpretation, “Information System Services,” for guidance.

The interpretation states that designing or developing a client’s financial information system impairs independence due to a significant self-review threat. However, firms may provide a spreadsheet, tool or template that performs only a discrete calculation if the attest client:

  • evaluates and accepts responsibility for the input and assumptions when using tool; and
  • has sufficient information to understand the calculation and the results.

NOTE:  Auditors of lenders subject to FDICIA, SEC and/or PCAOB rules should consider Frequently-Asked-Question no. 9 under Nonaudit Services in the Office of the Chief Accountant: Application of the Commission's Rules on Auditor Independence: Frequently Asked Questions. That guidance states that a firm should not license or sell a firm-developed module whose purpose is to prepare a significant element of the company's financial statements, as it would constitute the design and implementation of a financial information system, which is a prohibited non-audit service.

Cyber-security Advisory Services  

The AICPA Code does not specifically address cyber-security advisory services; however, nonauthoritative guidance, in the form of five (5) frequently-asked-questions (FAQs) in Frequently Asked Questions: Nonattest services, exist and are briefly summarized:  

General training, best practice reviews and advice and recommendations on improving cyber-security policies and procedures are permissible services, assuming compliance with the general requirements. However, the firm may not design or develop the client’s cyber-security policies or procedures. As for attack and penetration testing, there are two (2) possible outcomes: separate, periodic evaluations of the client’s controls would be permissible if they are not part of the client’s day-to-day business processes. However, performing any type of ongoing evaluation that is part of the client’s monitoring activities is a management responsibility that will impair independence.

NOTE: When applicable, practitioners should scrutinize proposed nonaudit services that are not specifically prohibited in the SEC or PCAOB’s independence rules for compliance with the general standard, related principles, and guidance (e.g., FAQs). The SEC staff encourages consultation with the agency’s Office of the Chief Accountant when the application of SEC independence rules is unclear. The FDIC staff also encourage consultation; guidance on consulting with the FDIC on an independence issue is included in the first item referenced below under Resources.

Additional Resources:

  • How to maintain independence in audits of insured depository institutions, Journal of Accountancy, April 2018
  • Center for Plain English Accounting, Small Business Loans Under the Payroll Protection Program: Issues Related to CPA Involvement, AICPA Center for Plain English Accounting (April 22, 2020)
  • Ep.20: PPP forgiveness engagements — Ethics Qs&As (AICPAPodcast, 9/4/20)


The material in this publication is provided with the understanding that the author and publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. The author and publisher make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and expressly disclaim all liability for any damages arising out of the use of, reference to, or reliance on such material. You may reprint material in this newsletter if it is unaltered and credited to the author and Audit Conduct. If being reproduced electronically, the following link must also be included: © Copyright 2021 – Audit Conduct, LLC. All Rights Reserved.