by Glenn Cheney
New York -- The American Institute of CPAs’ Professional Ethics Executive Committee has tightened its rules on independence to limit and clarify the conditions under which auditors can offer non-attest services to audit clients.
Generally, the new rules —some of which are actually just clarifications of earlier rules — reaffirm the general principle that auditors may not perform management functions or make management decisions for their audit clients. To reinforce that separation, auditors and company officers will, in many cases, have to express in writing their understanding of the nature of the engagement and the distinct, segregated roles of management and the CPA.
“We’ve significantly clarified our position with respect to bookkeeping and internal audit outsourcing,” said Susan Coffey, AICPA vice president of self-regulation and Securities and Exchange Commission practice. “We have new restrictions in the area of valuation, appraisal and actuarial, and in IT implementation and design.”
Regardless of the nature of the engagement, CPAs performing non-attest services will require the client to assign a competent individual to oversee the service, set the scope of the service, evaluate results and accept responsibility for them, and generally maintain internal controls over the services. Auditors must assess the client to confirm that they have the ability to accept the responsibility for the engagement.
The rules will also require CPAs to comply with any more restrictive non-attest independence rules that are set by government regulators or state boards of accountancy.
The revised rules go into effect on Dec. 31, 2003. Engagements underway before that date can continue under the current rules but must be completed by Dec. 31, 2004.
Coffey said that the committee is walking a fine line in an attempt to require strict rules for public companies without creating burdens for nonpublic companies, many of which depend on their auditors for bookkeeping, information technology design, valuation and internal auditing.
A move toward SEC rules
The Securities and Exchange Commission (and Sarbanes-Oxley) already prohibits auditors from performing many of these non-attest services for public company audit clients. The AICPA rules would consider such services ethical for non-public companies under the specified conditions, but the rules, nonetheless, move toward SEC standards.
On information technology services, the AICPA rules are close to those imposed by the SEC. An auditor may not create or change the source code of a client’s financial reporting system. While auditors are also prohibited from designing such a system, they are allowed to install and help format prepackaged software.
The new rules are substantially more restrictive on valuation, appraisal and actuarial services. Auditors are simply prohibited from offering such services if the results are subjective in nature and material to the client’s financial statements. Actuarial services related to pension benefit liabilities are permitted because they do not involve a significant amount of subjectivity and valuation.
The new rules are not generally seen as having a dramatic impact on private companies that use their auditors for various services. Still, the additional restrictions move in that direction.
“From a global perspective, anything that clarifies what can and cannot be done is a step forward, but it is also a step toward rules that are more closely aligned with those that apply to public companies, so those who fear the trickle-down effect are seeing it here,” said Paul Rohan, director of accounting and auditing at the Connecticut firm of Scillia Dowling & Natarelli Advisors, and a former project manager at the Financial Accounting Standards Board.
Rohan still has his doubts about how truly auditors can remain independent if they offer other services to a given client.
“When you look at the fabric of independence, how can you be independent if you are performing these services and then turning around and being an auditor?” he said. “I would have a little quibble with any of these new rules to the extent that you are performing a service and it is generating revenue.”
The amended rules on internal audit services are essentially the same but more clearly delineated. Coffey said that the AICPA identified a difference between “internal audit outsourcing” and “extended audit service.”
“We think that additional auditing is good whether you call it internal audit outsourcing or extended audit service,” Coffey said. “What is important, and what the committee highlighted, is that the client have someone who understands internal auditing and has the competence to work with the auditor to make sure the auditor is not assuming any management functions during the performance of internal audit service... . The question is where to draw the line between the two, and that’s what we’ve attempted to clarify.”
William G. Bishop, CIA and president of the Institute of Internal Auditors, said that his organization was essentially, but not totally, satisfied with the new rules.
“If they are going to sanction some form of internal audit service, then the safeguards they’ve put in are pretty good,” Bishop said. “They expand on what was in there before. We like the idea of someone in the organization being responsible for it in the variety of ways they’ve listed. But I would have to say that our original response included a recommendation that they draw a bright line and prohibit a firm that performs a financial statement audit from conducting internal audit service.”
Bishop feels that the new rules will create some confusion because they state that external auditors’ independence is not impaired when they perform separate evaluations of internal control effectiveness or of monitoring activities. The rule, he said, does not specify that such engagements should not be performed for a client reporting under Sarbanes-Oxley Section 404. He stated that if management were to rely on such work as support for its assertion, the external auditor in its attestation might then be forming an opinion on his own work, which would clearly impair independence.
Bishop also thought that the AICPA should require members to meet the IIA’s International Standards for the Professional Practice of Internal Auditing when performing internal audit work, as the standards provide further guidance on meeting organizational independence.
Register or login for access to this item and much more
All Accounting Today content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access