BA 427 – Assurance and Attestation Services Lecture 29 Auditor Independence – Current standards
Lecture 29 – Independence • Sarbanes-Oxley, Title II • The SEC Rules to implement Sarbanes-Oxley • Current rules from the Government Accountability Office (GAO) • The current AICPA rules
The Sarbanes-Oxley Act • Title II • Prohibited Services • Audit partner rotation • Conflicts of interest
The Sarbanes-Oxley Act • Title II • Prohibited Services: auditors are prohibited from providing the following services to their public company audit clients: • Bookkeeping services • Financial information systems design and implementation • Appraisal or valuation services • Actuarial services • Internal audit services • Various others
The Sarbanes-Oxley Act • Title II • Prohibited Services: all non-audit services not specifically prohibited by Title II (e.g., tax services) require pre-approval by the audit committee. • An exception is provided for very minor services. • The PCAOB is granted exemption authority on a case by case basis.
The Sarbanes-Oxley Act • Title II • Audit Partner Rotation • The lead audit partner must rotate every five years. • The audit partner responsible for reviewing the audit (the concurring partner) must rotate every five years.
The Sarbanes-Oxley Act • Title II • Conflicts of interest (cooling off period) • The audit firm is not independent if any of the following client personnel formerly worked for the audit firm, and participated on the audit of the client during the one-year period preceding the date of the initiation of the audit: • CEO • Controller • CFO • Chief accounting officer
The SEC • The SEC issues rules to implement Sarbanes-Oxley • Issued in early 2003, under Chairman Harvey Pitt • Have not been updated or revised (as far as I can tell) by either the SEC or the PCAOB • Except for rules by the PCAOB related to tax services.
The SEC • Three basic principles: • An auditor cannot function in the role of management. • An auditor cannot audit his or her own work. • An auditor cannot serve in an advocacy role for his or her client.
The SEC • Audit partner rotation • SOX was silent on the “time-out” period. The SEC set the time-out at five years. • SOX only applied to the lead partner and concurring partner. The SEC identified other “key” partners on the engagement, and for them, set a seven-year rotation followed by a two-year time-out.
The SEC • Cooling-off period • Except for the lead partner and concurring partner, the rule only applies to individuals who provided more than 10 hours of audit services to the client. • The rule applies not only to the four job titles identified by SOX, but to anyone at the client in a “financial reporting oversight role.” • The SEC provides an “additional exemption for emergency or unusual circumstances” which the SEC anticipates being invoked very rarely.
The SEC • Prohibited services: • “In adopting these rules, the Commission is clarifying the scope of the prohibited services” under Sarbanes-Oxley
The SEC • Prohibited services • With respect to the prohibitions on (1) bookkeeping; (2) financial information systems design and implementation; (3) appraisal, valuation, fairness opinions, or contribution-in-kind reports; (4) actuarial; and (5) internal audit outsourcing, the rules state that the service may not be provided "unless it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client's financial statements."
The SEC • Internal audit outsourcing: • The rules we are adopting prohibit the accountant from providing to the audit client internal audit outsourcing services. • This prohibition includes any internal audit service that relates to the audit client’s internal accounting controls, financial systems, or financial statements unless it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client’s financial statements.
The SEC • Internal audit outsourcing: • This prohibition on “outsourcing” does not preclude engaging the accountant to perform nonrecurring evaluations of discrete items or other programs that are not in substance the outsourcing of the internal audit function. • For example, the company may engage the accountant … to conduct “agreed-upon procedures” engagements related to the company’s internal controls, since management takes responsibility for the scope and assertions in those engagements.
The SEC • Internal audit outsourcing: • The prohibition also does not preclude the accountant from performing operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements.
The GAO • The GAO issued new independence rules under Generally Accepted Government Auditing Standards (GAGAS) in 2002. • Applies to auditors of numerous hospitals, schools and colleges, city and local governments, and other recipients of federal dollars.
The GAO • The new standards identify two overarching principles: • Auditors should not provide services that involve performing management functions or making management decisions. • Auditors should not audit their own work, or provide non-audit services that are significant or material to the subject matter of the audit.
The GAO • Assuming the engagement satisfies the two overarching principles, seven safeguards must be in place, including: • Audit and non-audit work must be performed by separate engagement teams. • The scope of the audit cannot be reduced based on the auditor’s provision of non-audit services. • The audit firm should document why the engagement complies with the two overarching principles.
The GAO • Examples of prohibited and allowed services • Allowed services include: • Preparing a trail balance and draft financial statements and footnotes from the chart of accounts, as long as management reviews and approves them. • Converting cash-based financial statements to accrual-based statements. • Advising on information technology design, installation and system security.
The GAO • Examples of prohibited and allowed services • Prohibited services include: • Processing the entity’s payroll. • Conducting an executive search or recruiting program, or recommending a single individual for a specific position. • Installing an off-the-shelf accounting system. • Selling software that was designed or developed by the audit firm. • Performing internal audit services for a client that does not have an internal audit function.
The AICPA • Recall that ethics rules are promulgated by the Executive Committee of the Professional Ethics Division of the AICPA. • This Committee still promulgates standards for most nonpublic audits. • The Committee generally did not adopt the SOX rules and new SEC rules. Therefore, independence standards for nonpublic companies are sometimes less restrictive.
The AICPA • Cooling-off period • The AICPA rules do not provide for a cooling-off period of any length. • Partner rotation requirements • There are none.
The AICPA • Non-audit services • The auditor cannot perform management functions or make management decisions. • The client must provide appropriate oversight and supervision of the engagement. • There should be an engagement letter or similar written document.
The AICPA • Internal audit outsourcing (in particular): • The auditor cannot perform ongoing monitoring activities or control activities. • The auditor cannot determine which, if any, recommendations should be implemented. • The auditor cannot report to the board or the audit committee on behalf of management. • The auditor cannot be responsible for the overall internal audit plan. • The auditor cannot be connected with the client as an employee.
The AICPA • Examples of services that are allowed under the AICPA rules: • Post client-approved entries to the client’s trial balance. • Process the client’s payroll from payroll time records provided and approved by the client. • Install an off-the-shelf financial information system package. • Screen job applicants for a client job posting. • Perform financial and operational internal audit activities that are supervised by client personnel.
The AICPA • Independence-in-appearance: • “a reasonable and informed third party, having knowledge of all relevant information, including safeguards applied. • Safeguards are defined as “controls that mitigate or eliminate threats to independence,” and are grouped into three categories.
The AICPA • Independence-in-appearance: • Thirty-six examples of safeguards are provided. • Some of these examples relate to the client’s governance structure. • Some of these examples relate to the accounting firm’s internal policies and procedures and to characteristics of the firm’s leadership.