The AICPA’s revised independence interpretation, Information System Services (ET sec. 1.295.143), has been effective since January 1, 2023. Prior to that time, the staff of the AICPA Professional Ethics Division (AICPA staff) released nonauthoritative guidance to help members implement the revised interpretation. In December 2021, the AICPA staff published a Practice Aid entitled, Independence considerations for information systems services (ISS Practice Aid), which provides a framework for applying the interpretation. Several questions and answers (Q+As)  in Q+A section 250 Nonattest Services — Information Systems Services (ISS Q+As) were issued in December 2022.

This article discusses the guidance as it relates to key elements of the revised interpretation.

Quick Overview

First, a quick overview of the Information System Services (ISS) interpretation:

The interpretation addresses possible self-review and management participation threats related to (i) design and development, (ii) implementation, and (iii) post-implementation services.

Design and development services. If a firm designs or develops a financial information system (FIS) for an attest client, independence is impaired due to the significant self-review threat. Designing an information system means your firm will determine how a system or transaction will function, process data, and produce results, providing a blueprint for the development of software code and data structures. Developing an information system means your firm will create software code for one or more modules and test that code to confirm that it is functioning as designed. An FIS includes a system that aggregates source data underlying the client’s financial statements or generates information that is significant to its financial statements or processes. If your firm avoids performing management responsibilities and meets the other general requirements for performing nonattest services (per ET section 1.295), the firm can design or develop a system that is not related to an attest client’s FIS.

Implementation services. Implementation services include installation, configuration, data translation, interfacing, and customization services. Firms may assist clients by installing and configuring software systems that are designed and developed by a third party – even a client’s FIS – without impairing independence. A firm may also use a third-party vendor’s application, such as an application programming interface (API), to connect data from one system to another or provide data translation services. However, not all implementation services are permissible. If implementation involves design or development services, including customization of the vendor’s application, independence would be impaired.

Post-implementation services. Post-implementation services, such as information system and network maintenance, support, or monitoring services – whether for an FIS or not – impair independence if a firm assumes management’s responsibility for an ongoing function, process, or activity. This is the case even if your client has suitable skill, knowledge, and experience to oversee the service and make management decisions related to the services.

Though the ISS interpretation describes independence in relation to financial statement attest services, the interpretation also applies when you provide attest services in which the subject matter is not your client's financial statements. In those cases, you should substitute the term subject matter of the attest engagement for financial statements and financial reporting when applying the interpretation.

This next section discusses nonauthoritative guidance the staff has issued on ISS to help members and others understand and implement key elements of the interpretation.  

Design or Development Services

Assume your client wants the firm to create a data gathering system (e.g., tool). The key question to ask when evaluating whether a design or development service impairs independence is whether the service (in this case, a tool) relates to the client’s FIS. Important considerations are:

• How will the tool and the client’s FIS interact?

• How will the client use the tool?  

Step 2 of the framework in the ISS Practice Aid (page 7-8) asks several questions about the impact of the tool on the client’s financial statements and processes, including whether:

• management will use the tool when making decisions that are significant to financial reporting or processes, including internal controls over financial reporting;

• the tool will serve as management’s primary source of data for decision-making or simply present data in various formats;

• the tool will point management to a particular conclusion or whether management will also consider other information when making decisions that are significant to the financial statements;

• the tool will affect system outputs or controls that are subject to attest procedures; and

• the tool will be used as input to the financial statements, including determining financial statement amounts and disclosures.

Discrete Tool Exception  

Step 1 of the Framework (page 5-6) provides guidance on determining whether a tool meets the “discrete tool exception” in the interpretation and therefore is not considered an FIS. To meet the exception, firms should consider whether:

• the tool performs a calculation that is separate and distinct;

• the purpose of the tool is narrow and specific; and

• if the client were to use a different tool to perform the calculation, would they receive similar results?

ISS Q+A .05 describes what is meant by a data gathering system.  ISS Q+A .06 provides factors for determining whether designing or developing a data gathering system is related to an FIS. The example used is a dashboard that will provide alternate views of existing data from the client’s financial statements. The dashboard neither feeds altered data to the financial statements nor generates a specific action for the client to take. Rather, it provides information that the client may consider. Based on these facts, the Q+A concludes that the dashboard would not be considered an FIS. However, were the dashboard to feed data to the financial reporting system or prompt a specific action for the client to take, the dashboard may be considered an FIS. The firm must apply professional judgment in such circumstances.

Also on the subject of a data-gathering system, ISS Q+A .07 asks whether a firm needs to anticipate whether a client will modify a tool that the firm designed or developed such that the tool is later used in management’s financial reporting decision-making that could significantly impact financial reporting. The answer provides that when evaluating its independence under the interpretation, the firm need not try to predict whether the client will modify the tool in such a manner.

Implementation Services

The ISS Practice Aid notes that the interpretation treats software solutions that are developed, distributed, maintained, and supported by a firm differently than those that are developed, distributed, maintained, and supported by a third-party vendor (vendor). When a firm implements software that was designed or developed by a vendor (such as Intuit or Oracle), the threat that the firm would review its own work is eliminated.  However, this also assumes that the firm does not modify the software’s functionality or features (beyond that provided in the vendor’s software) or write new software code. According to pages 13-14 of the ISS Practice Aid, firms can perform the following software implementation services for a client, even an FIS software solution, without impairing their independence:

• Initial load of the vendor’s software on client’s designated hosting site

• Configuration of the vendor’s software, including:

  • Helping the client understand the various software options that are available to them;
  • Inputting client-selected functionality options, which determine how the software will perform; and
  • Selecting formatting options predefined in the software.

Page 15 of the ISS Practice Aid asks whether the firm will customize an FIS software solution by modifying or enhancing the software’s functions or features in ways that go beyond those provided by the vendor. As noted above, this includes modifying the code or writing new software code that adds or changes the software’s functionality. Customization activities – unlike configuration activities – impair your firm’s independence because you are no longer just implementing a vendor’s software, but also designing and developing your client’s FIS software solution.

Pages 16 and 17 of the ISS Practice Aid address interfacing and data translation services. In both cases, the firm may perform the services using a third party’s application. However, designing or developing the software or customizing a third party’s application that will be used in the services impair the firm’s independence.  

ISS Q+A .03 asks whether “hypercare” post-production stabilization support is considered an implementation or post-implementation service. If provided for a reasonably short period of time at the end of an implementation project, the activity is considered an implementation service that will not impair independence.  A firm should use its professional judgment in determining what is a reasonable period of time, which will vary based on the scope and complexity of the project.

Post-implementation Services

Step 4 of the ISS Practice Aid (pages 18-19) addresses post-implementation services, specifically, system and network maintenance, support, and monitoring services. Unlike design, development, and implementation services, which focus on avoiding self-review threats to independence, the key threat to avoid when performing post-implementation services is the management participation threat. Certain post-implementation services impair independence regardless of the type of system (i.e., FIS or not) and whether or not management has designated an individual who is competent to oversee your services.

To avoid impairing the firm’s independence, the client should not outsource an ongoing function, process, or activity to your firm. For these types of post-implementation services, agreements to support the client on an ongoing basis are problematic because the firm assumes a management responsibility.

Factors to consider include the:

• Scope and scale of services

• Frequency of the services

• Duration of the services

ISS Q+A .02 addresses operating or managing a client’s information technology (IT) help desk, which impairs independence. Firms should apply judgment in determining whether another IT help desk-related service would cause the firm to assume a management responsibility. A clickable table in the Q+A distinguishes the types of activities that would impair independence because the firm is assuming a management responsibility from those that would not. For example, the firm may assess the client’s IT help desk approach and provide advice and recommendations without impairing independence. A firm may also apply a specific patch to the system as a one-off project.

As for network maintenance and updates, ISS Q+A .04 also advises firms to apply judgment and provides a table that provides examples of independence-impairing versus permissible activities. For example, a firm may be able to provide services to the client on a limited and infrequent basis as requested by management. The firm should judge what constitutes limited and infrequent.

Summary

The ISS interpretation is supported by two types of nonauthoritative guidance. The ISS Practice Aid provides a framework that walks your firm through key portions of the interpretation to determine whether the firm’s services would be permissible. The Q+As address IT help desks, hypercare, data gathering systems, and network updates and maintenance services, and client modification of a tool that the firm designed or developed. Firms may find these resources helpful as they implement the revised independence requirements. Click the links below to read the guidance discussed in this article:

ISS Practice Aid, Independence considerations for information systems services

Q+A section 250 Nonattest Services — Information Systems Services

_________________________________________________________________________________________________________________________________________________________________________

The material in this publication is provided with the understanding that the author and publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. The author and publisher make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and expressly disclaim all liability for any damages arising out of the use of, reference to, or reliance on such material. You may reprint material in this newsletter if it is unaltered and credited to the author and Audit Conduct. If being reproduced electronically, the following link must also be included: www.auditconduct.com. © Copyright 2023 – Audit Conduct, LLC. All Rights Reserved.