Auditor Independence is integral to the financial reporting system and trust in the capital markets. But recent cases against large audit firms underscore the challenges firms face in ensuring independence and the seriousness with which the SEC enforces its regulations. In the author’s opinion, too many auditors misinterpret the SEC’s independence rules, which results in a checklist mentality to compliance that misses the true spirit of the SEC’s independence requirements.
The recent SEC proceedings against Ernst & Young and three of its partners provide a vivid reminder of some of the pitfalls that may result in serious independence violations by unwary auditors. Ernst & Young (EY) and its partners solicited and obtained from the audit client’s chief accounting officer (CAO) other firms’ bid proposals and other confidential information and contravened the audit committee’s intent to conduct a fair and competitive search process [Accounting and Auditing Enforcement Release (AAER) 4239 (August 2, 2021)]. “EY and EY Partners,” the SEC noted, “should have known that the manner in which EY obtained the engagement would cause a reasonable investor to conclude that EY was not capable of exercising objectivity and impartiality upon becoming Issuer’s independent auditor and that such conduct therefore would result in a violation of the Commission’s and the [PCAOB] auditor independence rules.” The issuer was not named in the release, but press reports identified it as Sealed Air.
The rule violated was the SEC’s general standard that recognizes an auditor must be independent in fact and appearance. Auditors might fail to meet this standard and impair independence even if their conduct is not specifically prohibited by the SEC’s related rule that enumerates such matters. Rule 2-01(b) is the general standard, and Rule 2-01(c) provides a nonexclusive list of specific relationships that render an auditor and the auditor’s firm as not independent. Failing to understand and properly apply the general standard is a major pitfall that auditors must avoid when auditing the financial statements of a public company.
In this author’s opinion, too many auditors view the SEC’s independence rules as a two-step determination: first, evaluating independence in fact based on their own assessment of their ability to act with integrity and objectivity and, second, evaluating appearance. The second step is treated as a compliance-oriented determination of adherence to a collection of rules designed to foster public confidence, separated from the basic requirement to act with integrity and objectivity. This view has led to a checklist mentality that misses the true meaning of the SEC’s general standard on independence. This article suggests ways to avoid this major pitfall, as well as other pitfalls in applying the general standard. It also provides a reminder that SEC independence requirements may apply in certain circumstances even when the audit client is a nonissuer.
EY’s Violation of the SEC’s General Standard on Independence
Sealed Air’s Chief Accounting Officer (CAO) had worked with one of the three EY partners at another company. The CAO was heavily involved in the Sealed Air audit committee’s process of selecting an independent auditor, and engaged in conduct designed to favor EY. EY and three other firms, including the incumbent auditor, were invited to submit bids for the audit work. The audit committee structured the Request for Proposal (RFP) process to be competitive and fair, providing each firm with “an equal opportunity to provide their best proposals.”
Without the knowledge or approval of the audit committee, the CAO provided EY with confidential information on the other firms as well as the audit committee and significant other aid. The CAO sent EY other firm’s proposals and submissions, as well as internal documents used in the audit committee’s deliberations. Because of their prior relationship (the CAO and one of the EY partners had “worked closely together”), and because the CAO viewed the EY partner “as a trusted advisor,” EY was allowed to assist in drafting portions of the RFP and permitted to meet with the CAO’s financial personnel at least one month before the other firms. Internally, EY referred to this as a “head start none of the other firms were given.”
The CAO reviewed the firms’ proposals for the audit committee and planned to present the pros and cons of the proposals to aid the audit committee’s selection. He asked EY for additional talking points, and received from EY a detailed list of additional “cons” against the incumbent firm.
EY used the competitive intelligence and confidential bid information provided by the CAO in preparing its initial proposal. The audit committee selected the incumbent firm and EY as finalists and specified a deadline for the submission of final bids. The CAO forwarded the incumbent firm’s final bid to EY and allowed EY to revise its bid and submit it five days after the deadline. EY’s bid was nearly identical to that of the incumbent firm, but slightly higher when expenses were included. The CAO removed the expenses from the information on EY’s bid that was sent to the audit committee to make EY’s bid appear to be lower. In the construction industry, this activity would be labeled “bid rigging.”
Subsequently, Sealed Air learned of some of the conduct of the CAO and EY during the RFP process. The audit committee performed an investigation and terminated both the CAO’s employment and EY’s audit engagement.
Other Examples of Violations of the General Standard
Other notable examples of violations of the SEC’s general standard include the following:
- A lead engagement partner developed and maintained a close personal relationship with the CFO of an audit client and the CFO’s family. This relationship included frequent social events, gifts, and overnight out-of-town trips that involved lavish spending. The activities violated the audit firm’s policies, which identified such extensive relationships as creating “independence issues from an appearance perspective.” The SEC sanctioned the partner for his independence violations, and the firm for failing to act on red flags regarding the partner’s relationship with the CFO (AAER 3802, September 19, 2016).
- An audit partner had a close personal and romantic relationship with the CAO of an audit client. The SEC sanctioned the audit partner and the CAO for the independence violation as well as the lead engagement partner and the audit firm for failing to act on red flags about the relationship (AAER 3803, September 19, 2016).
- An audit firm conducted microcap conferences for several years at which the firm touted a group of companies that included audit clients as high-quality investment opportunities. The PCAOB sanctioned the audit firm and the partner responsible for the firm’s compliance with independence requirements for the client-advocacy–related independence violations, as well as for violation of quality control standards (PCAOB Release 105-2019-022, September 10, 2019).
All of these independence violations involved a failure to comply with the SEC’s general standard rather than with specific prohibitions of individual rules.
Prior Recent Analyses of the ‘Independence Problem’
The pages of The CPA Journal have not lacked coverage of independence violations and suggestions of their causes and cures. Howard Levy focused on the commonality he saw in two of the cases of the “familiarity threat” in “close personal relationships” and recommended that audit firms implement more robust policies and procedures that provide a working definition of them (“Has the SEC Awakened a Sleeping Giant?,” The CPA Journal, January 2017).
Ed Ketz postulated that: “Either practitioners have biases that they do not recognize, which requires institutional changes; or they are unaware of independence rules,” and he explored several potential solutions (“The Myth of Auditor Independence,” The CPA Journal, February 2020).
Vincent Love opined that independence violations usually occur “at the engagement partner level where the specter of unconscious bias, and arrogance, comes into play” and suggested that an improved “tone at the top” could provide a “a major control on unconscious bias and arrogance in the delivery of assurance services” (Vincent J. Love, “How Independence and Commercialism Can Coexist,” The CPA Journal, January/February 2022).
These authors have correctly identified key aspects of prominent violations of the SEC’s general standard, but I believe an important factor is missing from these analyses. As stated above, the pitfall is to totally divorce independence in fact from independence in appearance. This separation permits an auditor to regard independence in fact as a given—whether due to cognitive bias, arrogance, or both—and gloss over the need to step back and view the situation from the perspective of a reasonable person. The following discussion of the SEC’s general standard explains the basis for this conclusion.
The pitfall is to totally divorce independence in fact from independence in appearance.
Recognize that the SEC’s General Standard of Independence Requires an Objective Assessment of Independence in Fact and Appearance
For many years, auditors, as well as the SEC itself, have referred to the need for auditors “to be independent of their audit clients both in fact and appearance.” The pitfall here is to regard the determination of independence an auditor must make as involving two distinct judgments rather than linked matters of equal importance.
The central language of the SEC’s general standard is worth repeating and analyzing:
The Commission will not recognize an accountant as independent, with respect to an audit client, if the accountant is not, or a reasonable investor with knowledge of all relevant facts and circumstances would conclude the accountant is not, capable of exercising objective and impartial judgment on all issues encompassed within the accountant’s engagement.
In addition to an evaluation of whether there is a violation of express prohibitions, an auditor must assess, with a high level of scrutiny, the objective criterion of whether the facts and circumstances render the auditor incapable of being objective and impartial or would cause a reasonable investor (or person) to conclude the auditor was incapable of doing so. SEC Release 34-43602 indicates the general standard is an objective one and that the “reasonable person standard” is embedded in the law generally; SEC Release 33-7593 indicates that circumstances that raise questions about an auditor’s independence always merit heightened scrutiny.
The fallacy here is to consider the objective test—whether a reasonable person would conclude the auditor is not capable of exercising objective and impartial judgment—as cosmetic. It is not a simple matter of appearance, a public relations stance designed to inspire confidence that does not bear on independence if the auditor’s lack of objectivity or impartiality has not been demonstrated. How else to explain the litany of violations in recent years?
In this author’s judgment, treating the SEC’s general standard on independence as a two-step, compliance-oriented determination is what has led to a check-the-box mentality in making the critical determination of independence. Audit firms use forms that list the specific prohibitions of the SEC’s Rule 2-01(c) or PCAOB or AICPA independence rules, but give short shrift to a meaningful analysis of how a reasonable person would assess the situation with knowledge of the facts and circumstances of all relationships among the auditor, the audit firm, and the audit client and its management. Avoiding this pitfall requires a commitment by individual auditors to avoid an implicit bias concerning their own objectivity, and a commitment by audit firms to develop policies and procedures on training, supervision, and monitoring that place greater emphasis on scrutinizing all relationships between the auditor and audit client from the perspective of a reasonable person as well as reinforce the affirmative obligation to obtain the necessary information for informed judgments and to maintain an impartial mental attitude when doing so.
An audit firm may have detailed quality control policies and procedures intended to provide reasonable assurance of maintaining independence. Nevertheless, policies and procedures—such as requiring each audit engagement team member to certify compliance with the firm’s and regulator’s independence rules—cannot replace an auditor’s internalized commitment and ability to view facts and circumstances through the eyes of a reasonable investor. The following are other specific pitfalls in maintaining independence that require more than literal compliance with specific prohibitions.
Scrutinize Whether the Conditions for a Conditionally Permissible Nonaudit Service Have Been Met
The SEC’s nonexclusive list of behavior that would render an auditor not independent includes prohibitions related to non-audit services [Rule 2-01(c)(4)]. Services related to management functions; human resources; broker-dealer, investment adviser, or investment banking services; legal services and expert services unrelated to the audit are categorically prohibited [Rule 2-01(c)(4)(vi-x)]. Other nonaudit services of bookkeeping; financial information systems design and implementation; appraisal valuation and similar services; actuarial services; and internal audit outsourcing services are conditionally prohibited [Rule 2-01(c)(4)(i-v)].
The condition that permits performing these services for an audit client is that “it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client’s financial statements” [Rule 2-01(c)(4)(i-v)]. The potential pitfall is overlooking that the SEC has made clear that “there is a rebuttable presumption that the prohibited services will be subject to audit procedures” [SEC Release 33-8183 and Office of the Chief Accountant, “Frequently Asked Questions, non-Audit Services,” E (Question 3)]. An auditor that performs a conditionally prohibited service has an affirmative obligation to obtain all the facts and circumstances related to providing the service, and substantiate and document why there was a reasonable expectation before providing the service that audit procedures would not be applied to the results of the service. An auditor also has to be aware that the general standard must be applied in all circumstances, including when providing otherwise permissible nonaudit services.
Apply Extra Scrutiny to Bookkeeping Services
Extra scrutiny is essential if an audit firm is engaged to provide any type of bookkeeping or related service to an audit client, especially if services are provided to affiliates within the definition of an audit client. This nonaudit service prohibition is much more restrictive than the AICPA rules applicable to most nonissuer engagements. The prohibited services are specified as “bookkeeping or other services related to the accounting records or financial statements of the audit client” [Rule 2-01(c)(4)(i)]. The SEC’s prohibition is broad: the rule states the prohibition applies to “any service” unless the condition of it being reasonable to conclude that the results of the services will not be subject to audit procedures during the audit is met.
The rule provides a list of the types of services that are sufficient but not necessary to result in a violation. This list states that the prohibited services “include” the following: maintaining or preparing the audit client’s accounting records; preparing the audit client’s financial statements that are filed with the SEC, or that form the basis of financial statements filed with the SEC; or preparing or originating source data underlying the audit client’s financial statements [Rule 2-01(c) (4)(i)]. Note that the rule contains the word “including”—not “involving”—thus indicating that other services related to accounting records may be violations even if the three activities enumerated in the rule are not performed. The SEC staff has indicated, for example, that word processing or typing services, providing templates for financial statement preparation not publicly available, and similar clerical assistance are prohibited under this rule [SEC Release 33-8183 and Office of the Chief Accountant, “Frequently Asked Questions, non-Audit Services,” E (Questions 1, 8, and 9)].
Heightened scrutiny is particularly necessary when the audit firm also provides tax-related services and maintains any of the audit-client’s tax-related records. Depending on the circumstances, these records may become the basis for amounts or disclosures in audited financial statements that are subject to SEC independence requirements resulting in a violation of this prohibition.
Understand the Applicability of the Quality Controls Exception
The SEC independence requirements contain a rule sometimes referred to as the quality controls exception [Rule 2-01(d)]. This rule provides that an audit firm’s independence would not be impaired solely because a covered person in the firm is not independent of an audit client if specified conditions are met. For audit firms with 500 or fewer audit clients registered with the SEC, there are only three conditions, as follows:
- The covered person did not know of the circumstances giving rise to the lack of independence.
- The covered person’s lack of independence was corrected as promptly as possible under the relevant circumstances after the covered person or firm became aware of it.
- The firm has a quality control system in place that provides reasonable assurance that the firm and its employees do not lack independence and covers all employees and associated entities participating in the engagement, including those outside the United States. The quality control system’s ability to provide reasonable assurance takes into account the size and nature of the firm’s practice. For firms with over 500 audit clients registered with the SEC, there are additional conditions that the quality control system must meet.
The first hazard is wrongly equating “not knowing the circumstances” giving rise to the lack of independence with “not knowing of the existence of the rule” that prohibited the conduct. Ignorance of the applicable independence requirements is not excused by the quality controls, exception or otherwise. Not knowing the circumstances relates to matters such as a partner suddenly learning an immediate family member has purchased shares in an audit client, or a close relative being hired in an accounting role at an audit client. A competent auditor is presumed to have sufficient knowledge of applicable professional standards, including independence requirements.
Another hazard is to presume that because the firm has written independence policies and procedures, the quality control system provides the reasonable assurance required by the third condition. The initial violation of the independence rule when the covered person knew of the circumstances causing the violation is prima facie evidence the system did not provide reasonable assurance. It would thus be apparent that the firm did not have policies and procedures sufficient to avoid the conduct and behavior, and that training, supervision, and monitoring policies and procedures were lacking.
Inform the Audit Committee of Relationships That May Not Be Prohibited
PCAOB Rule 3526, on communications with audit committees concerning independence, requires annual written communication of all relationships between the audit firm (including affiliates) and the audit client (or persons in financial reporting oversight roles at the client) that may reasonably be thought to bear on independence (emphasis added). Part a of the rule covers the initial communication of prior services and Part b relates to an annual communication thereafter. AAER 4239 indicates EY failed to comply with PCAOB Rule 3526 by not informing the audit committee of the conduct during the RFP process.
Auditors need to be aware that SEC independence requirements may apply even when the audit client is a non-issuer.
A pitfall is for the auditor to believe that their duty is to identify whether there has been behavior that is specifically prohibited by SEC independence requirements while failing to make a thoughtful analysis of all relevant facts and circumstances, and whether a reasonable investor with knowledge of them might reasonably think they bear on the auditor’s capability to act with objectivity and impartiality.
An important function served by the annual communication to the audit committee is to allow its members to assess all relationships among the audit firm, audit client, and persons in a financial reporting oversight role that, although not specifically prohibited, may be viewed by a reasonable investor as bearing on independence. The audit firm has an affirmative obligation to be aware of all such matters and share that information with the audit committee.
Another pitfall for auditors is the belief that their own judgment about the capability to exercise objectivity and impartiality, based on experience with the audit client, is relevant in determining whether a reasonable investor would reach the same conclusion.
Recognize that SEC Independence Requirements May Apply to Certain Non-issuer Audit and Attestation Engagements
Auditors need to be aware that SEC independence requirements may apply even when the audit client is a non-issuer. The alert, “SEC/PCAOB Independence Rules for Non-Issuer Audit and Attestation Engagements,” issued jointly by the Center for Audit Quality (CAQ) and the AICPA, provides a detailed explanation of this independence pitfall. For example, SEC Rule 17a-5, “Broker Dealer Audit Reports,” requires the auditor to be independent in accordance with the provisions of SEC Rule 2-01(b) and 2-01(c). This is also true if the engagement is subject to the requirements of SEC Rule 206(4)-2 (“The Custody Rule”), which is applicable to registered investment advisors. An advisor does not have to satisfy an annual surprise examination requirement if it distributes annual audited financial statements to each member or beneficial owner of a limited liability company or pooled investment vehicle (e.g., a private investment fund) within 120 days of each fund’s fiscal year end. SEC independence requirements apply to those audits as well.
A registered broker-dealer’s financial statements under Rule 17a-5 must be audited in accordance with PCAOB standards. Accordingly, PCAOB auditing and professional practice standards apply—as do SEC independence rules. PCAOB Rule 3520, “Independence,” requires adherence to SEC independence rules as well as the PCAOB’s own rules. An audit of a private investment fund under the Custody Rule, however, may be performed in accordance with GAAS (i.e., AICPA) rather than PCAOB auditing standards, but the SEC’s independence rules must still be followed.
The applicability of SEC independence rules to nonissuers under GAAS rather than PCAOB auditing standards arises in other specialized circumstances as well. Asset-backed securities filings under Regulation AB require compliance with SEC independence rules. Other types of organizations may also be required to have their information that is filed with or submitted to the SEC audited by an audit firm that is independent in accordance with SEC rules. For example, a Nationally Recognized Statistical Rating Organization (NRSRO) must have its annual financial statements audited by an independent auditor subject to SEC independence requirements. This is true even if the NRSRO is not an issuer and the auditor applies GAAS rather than PCAOB standards.
Generally, in audits of non-issuers subject to SEC independence rules, most of the prohibitions in Rule 2-01(c) apply except for those that relate to: the cooling-off period for a former member of the engagement team joining the client in certain positions; partner rotation; audit committee preapproval of all services, and audit partner compensation. Of particular significance, Rule 2-01(b), the general standard, and the prohibitions of Rule 2-01(c) related to nonaudit services and financial, employment, business relationships, and contingent fees apply.
Certain other federal regulators, such as the Commodities Futures Trading Commission (CFTC) and the Federal Deposit Insurance Corporation (FDIC), also require compliance with certain SEC independence rules, even though the SEC has no jurisdiction over audit and attestation engagements related to information filed with these agencies. In addition, state regulators may decide to make SEC independence rules applicable to entities that are not under the SEC’s jurisdiction, such as state-registered investment advisers.
A related type of pitfall arises when a non-issuer entity meets the definition of an affiliate of an issuer audit client, and the audit firm has a prohibited arrangement with the non-issuer entity. For example, the non-issuer affiliate may have a GAAS audit, and the audit firm may insert an indemnification clause in the engagement letter that is prohibited by the SEC, but not by the AICPA.
Investors must believe they can rely on audited financial statements because the auditor providing assurance on those statements is both skilled and independent.
The Critical Role of Auditor Independence
SEC Rule 2-01 identifies the facts and circumstances in which an auditor will, and will not, be deemed independent. Rule 2-01(c) provides a nonexclusive description of specific “will nots.” Rule 2-01(b), the general standard, provides a general description of the facts and circumstances in which an auditor will also be deemed not independent—including anything that would cause a reasonable investor to conclude the auditor is not capable of exercising objective and impartial judgment on all issues involved in planning, performing, and reporting on the audit.
The SEC has repeatedly emphasized the critical role of auditor independence in terms such as the following:
Independent auditors have an important public trust. … It is the auditor’s opinion that furnishes investors with critical assurance that the financial statements have been subjected to a rigorous examination by an objective, impartial, and skilled professional, and the investors, therefore, can rely on them. [SEC Release 34-43602. This point is highlighted in AAER 4239 on the EY matter cited at the beginning of this article, as well as the other AAERs reviewed.]
In other words, investors must believe they can rely on audited financial statements because the auditor providing assurance on those statements is both skilled and independent.
To escape the pitfalls and hazards that may result in an auditor being deemed not independent, auditors must also believe that avoiding the facts and circumstances that would cause a reasonable investor to doubt the auditor’s capability to be objective and impartial is as important as adhering to the specific prohibitions that would impair independence. This belief must permeate an audit firm’s training, supervision, and monitoring directed to independence and, especially, the behavior of all auditors.