In June 2019, the American Institute of Certified Pub- lic Accountants (AICPA) issued a revised independence interpretation, “Information System Services,” which replaces “Information Systems Design, Implementa- tion, or Integration” (ET sec. 1.295.145) in the Code of

with the most critical being the “financial information system” (FIS). An FIS is a system that aggregates source data underlying the financial state- ments or generates information that is significant to the client’s financial statements or financial processes as a whole. An FIS would not include
a software tool that performs only discrete calculations reflected in the financial statements, for example, generates amortization or deprecia- tion schedules. However, the attest client’s personnel must evaluate and accept responsibility for the tool’s inputs and assumptions (e.g., useful lives) and have enough information to understand the calculation and the results.

Other key terms include:
• Designing an information system • Developing an information system • Commercial off-the-shelf (COTS)

Professional Conduct. The AICPA’s Professional Ethics Executive Commit- tee (PEEC) adopted the revised rule at its May 2019 meeting, which followed numerous discussions about the revi- sions proposed by the Information Technology and Services Task Force, of which the author is a member. Information system services (ISS), which includes both financial and non-financial systems, raise possible self-review and management partici- pation threats to independence. And while the interpretation identifies threats in terms of the impact on an attest client’s financial statements or processes, the interpretation applies to all attest engagements, even when the subject matter is not a set
of financial statements. As stated, “In these cases, the member should define a financial information system as any system that is subject to the member’s at- test procedures considering the relevant factors in paragraph .03a” (discussed in the next section).

Understanding Key Terms

The interpretation defines key terms, Members (that is, practitioners) should consider all relevant factors, such as whether the ISS would affect:

• System controls or outputs that will be subject to the firm’s attest procedures (for example, consolidated balances that become part of the financial statements);

• A system that generates data used as input to the financial state- ments (for example, a payables sys- tem), including information reflected in or used in determining financial statement amounts and disclosures;

• A data-gathering system used to make decisions that could signifi- cantly impact financial reporting (for example, an analytical tool); and

• A system that is part of the attest client’s internal controls over financial reporting, including informa- tion systems used to effect internal controls over financial reporting (for example, application controls that help ensure the integrity of financial statement data).

Which types of ISS impair independence?

As in all nonattest services provided to attest clients, members must meet the general requirements of the “Non- attest Services” subtopic (1.295.040) to perform ISS. Three types of ISS, discussed next, are addressed in the interpretation: (1) design and devel- opment; (2) implementation; and (3) system and network maintenance, support and monitoring.

Design and Development

Designing an information system means a member determines how a system or transaction will function, process data, and produce results, which provides a blueprint for the development of software code (pro- grams) and data structures. A member who develops an information system creates software code and then tests the code to confirm it is functioning as designed.

Designing or developing an informa- tion system that relates to an FIS (or other subject matter of the attest engagement) impairs independence. Self-review and management partici- pation threats to independence would not be at an acceptable level and could not be reduced to an acceptable level by applying safeguards. However, a member’s firm may design or develop a system that is not related to an attest client’s FIS (or other subject matter of the attest engagement) if the general requirements of 1.295 are met.

Implementation

Implementing an information system means a member installs, configures, interfaces, customizes, or translates data; these services occur after thesystem is designed and developed but before it is available to the client for use on a regular basis. When a third- party vendor (that is not the member’sfirm) designs and/or develops the software, the interpretation refers to the software as a “commercial off-the- shelf” or “COTS” solution. A COTS solution runs on a company’s computers or third-party vendor’s “cloud” infrastructure and ranges from simple, ready-to-install software packages to large-scale, complex enterprise appli- cations. Like design and development services, implementing a system that is unrelated to a client’s FIS (or other subject matter of the attest engage- ment) does not impair independence if the general requirements of 1.295 are met.

Implementing a COTS Solution

If a member implements a COTS solu- tion related to an attest client’s FIS (or other subject matter of the attest engagement), independence may still be maintained if the member does not perform design or development services, as described in the following table:

SERVICE

DESCRIPTION

IMPAIRS INDEPENDENCE?

Install COTS Solution

Initial loading of software on the cli- ent’s designated hosting site.

No.

Configure COTS Solution

Input client-selected software features, functionality options, and settings within 3rd party vendor’s software, which determines how software performs certain transac- tions and processes data.

Select predefined format of certain data attributes and inclusion or exclusion of such attributes.

No, unless member designs or devel- ops new software code or features to modify or alter functionality of COTS solution in ways 3rd party vendor did not predefine

Customize COTS Solution

Modify or enhance features and functions in ways that go beyond op- tions provided by 3rd party vendor, e.g., alter code in COTS solution or develop new code external to the COTS solution to provide different or added functionality.

Yes, this is design and/or development.

Interface COTS Solution

Connect two or more systems by de- signing and developing software code that passes data from one system to another. Interfaces may: (1) flow in one or both directions; (2) perform end-to-end transactions or pass data from one system to another.

Yes, unless member employs a 3rd party application and will not design or develop code for the application to work.

Translate COTS Solution

Design and develop rules or logic necessary to convert legacy system data to a format that is compatible with the new system.

Yes, unless member employs a 3rd party application and will not design or develop code for the application to work.

System and Network Maintenance, Support, and Monitoring

Post-implementation system or network maintenance, support,
or monitoring services may raise independence concerns, primarily management participation threats. For example, an attest client should not outsource to the member an ongoing function, process, or activity that allows the member to assume a management responsibility, which im- pairs independence. Examples include services in which the member:

• operates an attest client’s network;

• supervises personnel operating the client’s information system(s);

• monitors or maintains the attest client’s network performance;

  • manages the client’s information technology (IT) help desk;
  • performs ongoing network maintenance; or
  • maintains security for the client’s networks or systems.
  • Services generally would be permis- sible if they:
  • • do not involve an outsourced function, process, or activity;
  • • are separate and distinct;
    • are not performed on an ongoingbasis; and
    • meet the general requirements of 1.295.
    Examples include services in which the

member:
• analyzes an attest client’s network

and provides observations or recommendations to the client; • applies virus protection solutions or updates that the member did not design or develop;
• applies certain updates and patches that the member did not design or develop;
• provides advice, training, or instruction to the client on a new software solution; or

• evaluates the design or operating effectiveness of an attest client’s security over IT security policies or practices.

The revised interpretation becomes effective January 1, 2021 and early implementation is allowed. Members implementing the new rules are encouraged to contact the AICPA Ethics Division with questions at ethics@aicpa.org.

Post-implementation system or network maintenance, support, or monitoring services may raise independence concerns, primarily management participation threats.