AICPA proposes independence rules for tech services

With 73 percent of Accounting Today’s “2018 Top 100 Firms” reporting growth in their technology consulting business in the past year, they will want to pay attention to a recently released American Institute of CPAs’ proposal on independence rules for non-attest services.

On March 15, the institute’s Professional Ethics Executive Committee released an exposure draft, “Information System Services,” that is a comprehensive replacement to the current interpretation, “Information Systems Design, Implementation or Integration” (ET Section 1.295.145) in the AICPA Code of Professional Conduct. The proposal would revise the code’s non-attest services independence rule that applies when a practitioner provides information systems services to an attest client. Firms providing -- or thinking of providing -- these types of services to attest client should be paying attention.

Like the current rule, the proposed rule addresses possible self-review or management participation threats that may arise when practitioners provide these services to attest clients. Such threats are unacceptable when a practitioner/firm provides any of the following services:

• Designing or developing an attest client’s financial information system, or FIS;
• Customizing or providing data translation or interface services for an attest client’s commercial off-the-shelf FIS software solution; or,
• Post-implementation, performing maintenance, support, or monitoring services for any information system or network if the practitioner assumes a management responsibility (e.g., the client outsources an ongoing process, function or activity to the firm such as ongoing network maintenance, to the practitioner).

Some types of services do not raise unacceptable threats to independence under the proposal. These include services in which the practitioner/firm:

• Designs, develops or implements an information system that is not related to a FIS;
• Installs or configures a COTS FIS;
• Performs data translation or interface services between a legacy system and COTS FIS using a third party’s application program interface; or,
• Performs one-off maintenance, support or monitoring services for a client’s information system (e.g., analyzes the client’s network and provides recommendations or provides training on a new software).

How should a practitioner determine whether a non-attest service is related to a financial information system? Given the threat of self-review, the proposed rule would lead to a very different answer when the services relate to a FIS; thus, this determination would be key to applying the proposed rule.

The proposal defines an FIS as an information system that aggregates source data underlying the financial statements or generates information that is significant to the financial statements or financial processes as a whole.

Under the proposal, practitioners may consider the following questions to determine whether their non-attest services relate to a FIS:

Would the non-attest services:

• Impact the client’s system controls or output that will be subject to attest procedures?
• Generate data used as input to the financial statements?
• Gather data and assist management in making decisions that directly affect financial reporting?
• Be part of the attest client’s internal control over financial reporting?

Though prohibited from designing or developing a FIS, a practitioner could design or develop a template that performs a discrete function (such as a depreciation calculation) if the template performs an activity that the practitioner would be permitted to perform under the independence rules. For example, independence would be impaired if a practitioner valued nonmarketable securities that were material to the client’s financial statements. Thus, under the proposal, the practitioner could not develop or design a template that would perform the valuation (due to the threat of self-review).

The rest of the proposal

The proposal addresses information system services at a more granular level than the existing rule, providing definitions of the following terms and phrases to ensure that readers understand the general scope of each service:

· Design of an information system.

· Development of an information system.

· Commercial off-the-shelf (COTS) software solution.

Similarly, the proposal describes what is meant by system “implementation,” which is comprised of the following activities:

• Installation;
• Configuration;
• Customization;
• Interfacing; and,
• Data translation.

To help ensure consistent application, each of the above terms is also described within the proposed interpretation.

The proposal also emphasizes the importance of applying the safeguards in the General Requirements for Performing Non-attest Services, which are designed to avoid a situation in which a practitioner performs management responsibilities for an attest client. These safeguards require the practitioner to:

• Establish an understanding of the practitioner’s and the client’s respective responsibilities in connection with the services;
• Avoid performing management responsibilities; and,
• Document the understanding with the client prior to performing the services.

A critical component of the general requirement is that the client agrees to designate a person with suitable skills, knowledge and experience to oversee the practitioner’s services. Accepting this responsibility means that the client’s designee will be able to:

• Evaluate the adequacy of the services;
• Accept responsibility for the results of the services; and,
• Make all management decisions related to the services

The full Exposure Draft is available online, and comments on the AICPA’s proposed rule are due by June 15, 2018. If adopted, the proposed interpretation would become effective one year after it appears in the Journal of Accountancy’s “Official Releases.”