Performing certain nonaudit services for audit clients can impair independence. Misrepresenting nonaudit services as immaterial and mischaracterizing them as audit services obscures the conflicts of interest that may occur when both services are performed for an audit client. In the United Kingdom, regulators are moving towards separating audit businesses operationally. The SEC should study the issue to determine how to implement a similar split in the United States. Nothing short of this remedy is sufficient to protect the public interest.
For years, auditing firms had argued that the performance of nonaudit services to audit clients does not impair audit independence, and regulators failed to act. The Sarbanes-Oxley Act (SOX) of 2002 changed all that when the SEC prohibited certain nonaudit services that might impair audit independence. Since then, some CPA firms that provide audit services have violated Rule 2-01 of SEC Regulation S-X that requires auditors to be independent both in fact and appearance. These violations have occurred because these firms engaged in prohibited nonaudit services, failed to apply appropriate quality controls to provide reasonable assurance that independence was maintained, or failed to comply with PCAOB Rule 3525, which requires certain communications between the auditor and the audit committee that bear on whether independence existed during the engagement and at the time the audit report was issued.
One area of recent concern is that problems can arise when otherwise permissible nonaudit services are provided to a nonaudit client that becomes an affiliate of an audit client. The independence rules then apply to both clients as if they were one entity. Some firms are now using a materiality criterion to determine whether these nonaudit services provided to an affiliate entity, which would be prohibited if the parent had provided them, violate the independence requirement in audit engagements. Applying such a materiality standard can have the effect of dismissing otherwise improper relationships.
In other cases, audit firms have misrepresented nonaudit services as part of the audit services to get around the rules that prohibit certain nonaudit services for audit clients. Purposely doing so misleads the users of financial statements about independence.
Acting as if the rules do not apply universally represents a problem that, left untreated, may fester and lead to independence violations that get worse. Auditors may be subconsciously regarding the independence ethical requirements as not applying to them or not worth considering because they know they possess objectivity and integrity. But the end result is that too many auditors are violating ethical requirements.
The examples discussed in this article suggest that audit firms are either unaware of these requirements or ignoring them, at least as they pertain to determinations whether nonaudit services provided to audit clients violate independence. It may be that an audit-only firm can do a better job of ensuring adherence to independence rules than a firm that does not have an exclusively audit culture.
Violations Involving Nonaudit Services
Several settlements between the SEC and PCAOB and large accounting firms illustrate what happens when audit firms have provided nonaudit services to audit clients in violation of independence. In these cases, the firms represented that they were independent in audit reports when they were not, in violation of SEC Rule 2-02(b) of Regulation S-X and PCAOB Rule 3525.
On September 23, 2019, PricewaterhouseCoopers agreed to pay $7.9 million to settle charges that the firm violated Rule 2-02 by performing prohibited nonaudit services during an audit engagement, including exercising decision-making authority in the design and implementation of software relating to an audit client’s financial reporting, and engaging in management functions. The firm’s actions created a self-review threat to independence. In addition, the firm violated PCAOB Rule 3525 in connection with performing nonaudit services for 15 SEC-registered audit clients by failing to describe in writing to the audit committee the scope of work, to discuss the potential effects of work on independence, and to document the substance of the independence discussion. These actions deprived the issuers’ audit committees of the information necessary to assess PricewaterhouseCoopers’ independence. The aforementioned violations occurred due to breakdowns in PricewaterhouseCoopers’ independence-related quality controls, which resulted in the firm’s failure to properly review and monitor whether nonaudit services for audit clients were permissible and approved by clients’ audit committee [SEC, Accounting and Auditing Enforcement Release (AAER) 4084, In the Matter of PricewaterhouseCoopers LLP, September 23, 2019].
On August 27, 2019, the SEC charged RSM US LLP (formerly known as McGladrey LLP), the fifth largest accounting firm in the United States, with violating Rule 2-02(b)(1) in connection with more than 100 audit reports involving at least 15 audit clients. According to the SEC’s order, RSM US repeatedly represented that it was independent in audit reports issued on the clients’ financial statements even though it provided prohibited nonaudit services to, and had an employment relationship with, affiliates of RSM US audit clients. The prohibited nonaudit services included corporate secretarial services, payment facilitation, payroll outsourcing, loaned staff, financial information system design or implementation, bookkeeping, internal audit outsourcing, and investment advisory services. The SEC also cited a deficiency in independence controls at the firm that led to its failure to identify and avoid these prohibited nonaudit services. This violation created a self-review threat to independence and created the appearance that the firm could not be objective in providing audit services [SEC, AAER 4066, August 29, 2019, In the Matter of RSM US LLP (f/k/a McGladrey LLP)].
These two examples illustrate what happens when audit firms either ignore or misinterpret the restrictions on performing nonaudit services for audit clients set forth in Rule 2-02 as well as Rule 1.295.040 of the AICPA Code. Most of these restrictions are directly or indirectly prohibited under SOX and SEC Rule 2-01, which mirrors SOX restrictions.
The following violations occurred because of the misleading way independence was determined and conclusions thereof.
KPMG was involved in a client acceptance process for an entity when it learned that the firm had been providing nonaudit services to affiliates of the entity that the firm would be prohibited from providing if it became the independent auditor. These services included bookkeeping and payroll services provided to affiliates in 11 different countries. According to AAER 3530, “the KPMG audit engagement team—in consultation with the firm’s Independence Group—concluded that, based on the perceived immateriality of the locations and services provided.” KPMG’s overall independence would not be impaired if it became the auditor of the entity but also continued providing the nonaudit services to the affiliates during the transition period of February 22, 2008, to July 1, 2008. KPMG became the auditor and confirmed to the client that it was “independent with respect to [the client] and its related entities under applicable SEC and PCAOB independence requirements” [SEC, AAER 3530, January 24, 2014, In the Matter of KPMG LLP, Respondenthttps://www.sec.gov/litigation/admin/2014/34-71389.pdf)]. The firm’s actions violated SECs Rule 201(c)(5) and Rule 10A-2.
Is independence a standard best left to the individual judgement of the auditors, or is it based on SEC regulations and PCAOB standards?
Using a materiality criterion to determine whether certain nonaudit services should be allowed presents some difficult questions: 1) Is independence a standard best left to the individual judgment of the auditors, or is it based on SEC regulations and PCAOB standards? 2) Where do you draw the line in making materiality determinations?
Mischaracterizing Nonaudit Services
Returning to the agreement between PricewaterhouseCoopers and the SEC discussed above, the firm violated SEC Rule 2-02(b) of Regulation S-X and PCAOB Rule 3525 by engaging in improper professional conduct in violation of the independence rules on 19 engagements on behalf of 15 SEC audit clients. This case is unique because the firm had mischaracterized certain nonaudit services as part of the audit engagement to skirt its ethical responsibilities under SEC and PCAOB rules.
In 2014, PricewaterhouseCoopers performed nonaudit services for an audit client concerning Governance Risk and Compliance (GRC) software. According to AAER 4084: “GRC systems are used by companies to coordinate and monitor controls over financial reporting, including employee access to critical financial functions.” The client “intended to use the GRC software to generate information as part of the company’s control environment and to provide data to assist personnel in forming conclusions regarding the effectiveness of internal controls related to financial information systems.” At the time the GRC system was being implemented, it was intended to be subject to the internal control over financial reporting audit procedures.
As stated in AAER 4084, the SEC rules:
prohibit independent auditors from designing and implementing systems such as GRC where the software aggregates source data or generates information significant to the clients’ financial statements or other financial systems as a whole. Designing, implementing, or operating systems affecting the financial statements may also place the accountant in a management role, or result in the accountant auditing his or her own work or attesting to the effectiveness of internal control systems designed or implemented by that accountant. The independence rules also prohibit an independent auditor from performing management functions. (AAER 4084)
Communications between PricewaterhouseCoopers and its audit client show that the client’s head of internal audit was concerned whether the firm could provide an implementation proposal and inquired about auditor independence. Brandon Sprankle, who was the partner responsible for supervising the performance of prohibited nonaudit services, violated SEC Rule 2-02 when he responded that “we are absolutely permitted to implement so there will be no issues,” even though he was aware that the firm’s independence policies did not allow it or him to implement the GRC system.
Communications with the client show the disconnect between the client’s expectations and how PricewaterhouseCoopers was describing its information systems services, ostensibly to skirt the requirement not to perform certain nonaudit services for audit clients. An e-mail from the client’s then-head of internal audit, who objected to the description of services contained in the draft engagement letter, informed PricewaterhouseCoopers that the proposed work was an implementation project that had been outsourced to the firm. The final engagement letter described the work on the GRC project “as performing assessments and high-level recommendations” even though an internal PricewaterhouseCoopers communication had characterized the engagement as a design and implementation project.
PricewaterhouseCoopers agreed to pay more than $7.9 million to settle charges with the SEC that it performed prohibited nonaudit services during an audit engagement, including exercising decision-making authority in the design and implementation of software relating to an audit client’s financial reporting and engaging in management functions.
The firm also violated PCAOB Rule 3525 by failing to describe in writing to the audit committee the scope of work, the potential effects of work on independence, and the substance of the independence discussion. These actions deprived the issuers’ audit committee of information necessary to assess PricewaterhouseCoopers’ independence. The violations occurred due to breakdowns in PricewaterhouseCoopers’ independence-related quality controls, which resulted in the firm’s failure to properly review and monitor whether nonaudit services for audit clients were permissible and approved by clients’ audit committee (SEC, AAER 4084, In the Matter of PricewaterhouseCoopers LLP, Sept. 23, 2019, https://bit.ly/32UNzgO).
On another project for the same audit client, PricewaterhouseCoopers provided services related to the client’s upgrade of its enterprise software and related programs. Many of the services were nonaudit work to be performed before implementation of the system, including assessments and reviews before the system was in use, with the firm making recommendations and providing reports to the client.
To gain approval for the project by PricewaterhouseCoopers’s Risk Assurance Independence Group (RAI), a draft engagement letter was prepared that described the services as including approximately 1,000 hours of work by the client’s personnel and noting that the services would be performed in accordance with the Standards for Consulting established by the AICPA. The client’s audit committee approved the project as “nonaudit consulting” services with respect to the pre-implementation review of the enterprise software upgrade.
PricewaterhouseCoopers’ own RAI raised a red flag about the engagement, largely due to the 1,000 hours that made it seem as though it was an internal audit co-sourcing engagement, which is prohibited for an audit client. The firm’s information technology manager suggested that the project should cease involvement of the client’s internal audit department in the assessment or seek formal clearance by the firm’s U.S. Independence Office in its assessment.
Sprankle did neither; instead, he changed the description of the services from a consulting project to audit procedures. According to AAER 4084:
because the project was re-characterized as audit services, the work was not subject to proper internal review to assess auditor independence prohibitions, including a review to determine whether the project constituted prohibited non-audit services or outsourced internal audit work to be performed during the audit engagement of the Issuer company.
Exhibit 1 summarizes the discussions about violations involving nonaudit services, using materiality exceptions, and mischaracterizing nonaudit services.
Performing Prohibited Nonaudit Services for Audit Clients
SEC Proposal to Amend Auditor Independence Rules
On October 20, 2020, the SEC announced changes to Rule 2-01 of Regulation S-X that loosens independence rules with respect to the auditing of affiliates and investment company clients.
The new rule would limit the range of audit client affiliates from which an auditor must maintain its independence by: 1) amending the definition of “affiliate of the audit client” to carve out affiliates under common control (i.e., sister entities) that are not material to the controlling entity and 2) providing, with respect to the audit of an investment company, investment advisor, or sponsor, that the auditor and audit client would look solely to the definition of “investment company complex” to identify audit client affiliates under common control that are not material to the controlling entity (“SEC Adopts Amendments to Auditor Independence Rules,” October 20, 2020, https://bit.ly/3ocayMV).
The new rule defines an affiliate of the audit client as “an entity that has control over the audit client … or which is under common control with the audit client, including the audit client’s parents and subsidiaries.” The result is that entities under common control with the audit client (“sister entities”) are considered affiliates and fall within the definition (“audit client”) set forth in Rule 2-01 (SEC, 17 CFR Part 210, Amendments to Rule 201, Qualifications of Accountants, https://bit.ly/300pl2H).
The rule gives auditors more discretion in assessing conflicts of interest in affiliate relationships with the firm’s audit clients. The motivation for the change seems to be an analysis by the SEC that the audit firm can maintain its objectivity and impartiality (hence its independence) in these control relationships based on a materiality exception. According to SEC Chair Jay Clayton, the rules changes would “permit audit committees and [SEC] commission staff to better focus on relationships that could impair an auditor’s objectivity and impartiality” and avoid “spending time on potentially time-consuming audit committee review of non-substantive matters” (“SEC Planning to Loosen Auditor Independence Rules,” January 2, 2020, https://bit.ly/2ROOc51).
While a materiality test applied to financial reporting issues is commonplace, it has no place in ethics determinations. Any rule violation—regardless of a size test—is unethical.
By introducing a significance test to determine whether an affiliate is material to the controlled entity, the SEC has opted to rely on the judgment of the auditor and audit firm to determine when independence is impaired rather than strictly applying the ethics rules as written. While a materiality test applied to financial reporting issues is commonplace (i.e., to determine whether restatements to the financial statements are warranted), it has no place in ethics determinations. Any rule violation—regardless of a size test—is unethical. There should not be a materiality test to determine right versus wrong. Moreover, once the door is opened to making materiality judgments on independence issues, firms may seek to use it in interpreting other rules. For example, should a firm be able to provide “non-material” contingent fee and commission-based services to a non–audit affiliate once it is combined with the controlling entity for which audit services are provided? The problem with establishing a materiality criterion in one rule is it becomes an ethical slippery slope for other rule interpretations.
It is troubling that the SEC may have given up in its efforts to make independence the cornerstone of audit engagements; instead, it may be relying on objectivity and impartiality under the guise of a materiality exception. The SEC had highlighted in the past the importance of audit independence with regard to nonaudit services in a response to frequently asked questions seeking clarification of the rules. One question asked was whether prohibited nonaudit services performed for audit clients would be permitted when “it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client’s financial statements.” The SEC responded that there is a rebuttable presumption that the prohibited services will be subject to audit procedures. It went on to say:
“the development of the basis for the judgment is, in and of itself, an audit procedure relating to the determination of whether to apply detailed audit procedures to a unit of the consolidated entity. Therefore, materiality is not a basis upon which to overcome the presumption in making an interpretation that it is reasonable to conclude that the results of the services will not be subject to audit procedures” (“Office of the Chief Accountant: Application of the Commission’s Rules on Auditor Independence: Frequently Asked Questions,” Updated as of June 27, 2019, https://bit.ly/3hOCBgU).
By its response, it appears that the SEC believes that a determination of the significance of nonaudit services should not be affected by materiality considerations. The question—and the response discussed above—was first asked on January 16, 2001. Given its recent ruling that loosens auditor independence rules, however, the SEC’s support for independence as the backbone of the audit profession seems to be waning.
The U.K. Experience
In the aftermath of the liquidation of two large companies, Carillion and BHS, the Financial Reporting Council (FRC), the United Kingdom’s accounting watchdog, has been examining the question of whether the performance of all nonaudit services for audit clients should be prohibited. The impetus for the review is the FRC’s claims that auditors from KPMG in both instances did not “challenge management enough,” were not “sufficiently skeptical, and were inconsistent in their execution of audits.” The FRC concluded that “there remains public concern about whether the provision of nonaudit services undermines auditor independence.” (Jason Bramwell, “KPMG U.K. is Giving Up Non-Audit Work on FTSE 350 Clients. Will the Other Big 4 Firms Follow?,” November 8, 2018, https://bit.ly/2Esmp7u)
KPMG indicated it would not continue to provide nonaudit services to audit clients, albeit with some qualifiers, such as continuing to provide nonaudit services, such as consultancy, to smaller U.K.-listed clients, as well as private firms of all sizes. It also failed to give an end date for the changes.
Other firms, including Pricewaterhouse Coopers and Ernst & Young, also said they would stop offering nonessential consulting services to its largest British public audit clients by 2020. The firms stated their goal is to eliminate any perception of conflict between selling audit and consulting work to the same client (Audit Conduct, “In UK, three of the big 4 announce they will stop performing consulting services for large audit clients,” January 31, 2019, https://bit.ly/3hRyn87). The key here is: what is a “nonessential consulting service?” Perhaps the firms purposefully left it vague.
There has been a great deal of controversy in the U.K. about how best to restrict nonaudit services for audit clients. The U.K. Competition and Markets Authority (CMA), a government department, issued a report on April 18, 2019, that recommended an operational split of audit and nonaudit services. The large firms would be split into separate operating entities with respect to auditing and consultancy functions to reduce the influence of consulting practices upon auditing divisions. The split would help prevent potential conflicts of interest from impairing audit independence and increasing the public trust in the quality of financial statements. However, the CMA stopped short of recommending a full breakup based on firm services (Competition and Markets Authority, “Statutory audit services market study,” Final Report, April 18, 2019, https://bit.ly/2RPQbpH).
There has been a great deal of controversy in the U.K. about how best to restrict nonaudit services for audit clients.
Some in the U.K. accounting profession have warned that the split of nonaudit and audit services into separate entities would challenge firms’ ability to adjust to changes in market conditions, perhaps because audit fees account for only 20% of the firms’ overall fee income, making it less likely that audit firm could operate profitably as a stand-alone entity.
The CMA has said that the proposed separation would have auditors “focus exclusively on audit to secure higher quality, and not also on selling consulting services.” They suggest that the separation would achieve this by:
- Creating a strong culture in the audit firm and eliminating tensions with the very different culture of advisory services
- Enhancing transparency
- Making audit truly independent by ending the subsidies from the rest of the firm
- “Demonstrating a culture of quality, independence, and objectivity” and eliminating “undue influence from the wider (nonaudit) business” (Callum MacRae, “FRC Calls for the Break-up of Audit and Non-Audit Services of the Big 4,” https://bit.ly/32TTkeI).
A study group report prepared on behalf of the U.K. parliamentary Labour Party called for a legal split between audit and nonaudit services. The group was not convinced that an operational split would go far enough, calling instead for two legally separate organizations. In essence, it calls for a structural breakup of large firms, saying that it would be more effective than other options in “tackling conflicts of interest” and providing “professional skepticism needed to deliver high-quality audits.” (“Reforming the Auditing Industry,” https://bit.ly/3iXTZkS)
On February 27, 2020, the FRC sent a letter to the seven biggest U.K. audit firms—the Big Four as well as BDO, Grant Thornton, and Mazars—asking them to separate their audit practices and put in place independent boards to make changes to how they run their audit business to reduce conflicts of interest. The regulator is asking companies to take steps to separate their audit businesses in advance of expected legislation that could mandate these separations. The result of such a separation would be that audit units at these seven companies would have to be financially independent from other business units, thereby ending profit sharing between audit and other entities and establishing separate boards to strengthen governance (Nina Trentmann, “U.K. Regulator Asks Accounting Firms to Wall-Off Audit Practice, Install Separate Board,” The Wall Street Journal,https://on.wsj.com/2G3nOS9).
On July 6, 2020, the FRC told the Big Four to draw up plans for an operational split by separating their audit businesses by October 23, 2020 and for the work to be completed by mid-2024. The changes do not apply to smaller firms. The regulator stopped short of ordering a full, structural breakup that would have required audit entities to be spun off into separate legal entities.
The FRC listed 22 principles the Big Four have had to adhere to since June 30, 2020. Under the principles, the Big Four have to segregate their audit practices and ensure that audit partners spend the majority of their time on audits. Deloitte said it will establish an independent audit governance board (AGB), with responsibility for providing independent oversight of the U.K. audit practice from January 1, 2021. KPMG has gone further, stating that “KPMG supports operational separation and have already taken action which demonstrates how serious we are about rebuilding trust in our profession.” The firm plans to discontinue nonaudit services to Financial Times Stock Exchange (FTSE) 350 companies audited, to introduce graduated findings in their audit reports and to change their governance to create a separate audit board, which is solely focused on the performance management of their audit business. The firm said it plans to submit its detailed implementation plans to the FRC by the October 23 deadline (Accountancy Daily, “Audit firms report split progress,” https://bit.ly/3j4stlB).
Michael Izza, chief executive of the Institute of Chartered Accountants in England and Wales, said the FRC announcement provided a useful framework for running an audit firm; “however,” he said, “it will do little to improve quality or choice in the market.” Others have said that audit firms need to overhaul their attitudes toward clients, pointing out that the problem is with the culture within audit firms as being too deferential to clients’ senior management (Nina Trentmann, “U.K. Regulator Orders Big Four to Separate Audit Practices by 2024,” Wall Street Journal,https://on.wsj.com/2RMtuTv).
The U.K. has been trying to encourage audit firms to voluntarily split off audit from nonaudit services; however, firms do not seem inclined to do so. As a result, the FRC is due to be replaced by a stronger regulator called the Audit, Reporting, and Governance Authority, which is expected to force a breakup of the Big Four.
The U.K. experience should be looked at by the SEC to assess whether a separation of audit and nonaudit services operationally could work in the United States. The profession has talked about it for many years. It may be premature to study a legal split into two entities. Given the expanding scope of prohibited nonaudit services and how they may be mischaracterized to skirt the independence rules (as discussed above), it seems to this author that the time is right for such a split in the United States.
By operationally splitting audit and nonaudit services, the firms would signal that they take their obligation to be independent in fact and appearance seriously.
Protecting the Public Interest
In fiscal 2018, 34% of the Big Four’s combined global revenue came from auditing, compared with 43% from consulting and advisory work; the rest came from tax and legal work. The Big Four have generated more revenue from consulting and advisory services than from auditing since fiscal 2015 (Andrew Grill, “The Big 4 Consulting revenue now exceeds audit work—we need to consider the “Big 6” in consulting,” April 10, 2018, https://bit.ly/2Hf2Ss3).
Given audit firms’ insatiable appetite for consulting and advisory services and its larger piece of the revenue pie, it is unlikely that U.S. CPA firms would support separating audit from nonaudit services. The firms’ position has been that the expertise gained through greater access to technology and the clients’ businesses helps to deliver high-quality audits. Investors, on the other hand, worry about audit firms shifting their focus away from core auditing responsibilities and the potential for conflicts of interest when earning large consulting fees from an audit client.
The rise of consulting services is generally considered to have fundamentally changed the culture of CPA firms. Gone are the days when most accounting professionals are steeped in a strong ethics culture. Today, consulting and advisory services are being provided by experts who may or may not be CPAs. They are used to a competitive marketplace for such services and may be more willing to compromise on independence to gain lucrative consulting services.
By operationally splitting audit and nonaudit services, the firms would signal that they take their obligation to be independent in fact and appearance seriously, and that they recognize the importance of avoiding conflicts of interest when both services are provided to a client. The public should expect nothing less.