June 2003
Independence for Non-Public Entities: Opinions of Members Of State Boards Of Accountancy
By Cecil L. Hill and Quinton Booker
CPA firms have traditionally provided their audit clients with a wide variety of nonattest services. The AICPA Code of Professional Conduct has sanctioned performance of selected additional services as long as the CPA took appropriate steps to safeguard independence. The Sarbanes-Oxley Act, however, expressively prohibits auditors of certain public companies from contemporaneously performing eight nonaudit services: bookkeeping; financial information systems design and implementation; appraisal or valuation; actuarial; internal audit outsourcing; management functions or human resources; broker or dealer, investment adviser, or investment banking; and legal and expert services unrelated to the audit.
On the other hand, section 209 of the Sarbanes-Oxley Act clearly indicates that these mandates should not be presumed to apply to CPA firms not covered by the act. State regulatory authorities are urged to “make an independent determination” of rules and regulations for firms directly under their jurisdiction.
Background
The second general standard of Generally Accepted Auditing Standards (GAAS) states, “In all matters relating to the assignment, an independence in mental attitude is to be maintained by the auditor or auditors.” The standard indicates that auditors must be without bias with respect to clients. The public and users of audited financial statements must maintain a level of confidence in the auditor and audited financial statements.
Independence, although important, is not absolute. Because the auditor is hired and paid by the client, total independence is impossible. As far back as 1961, in The Philosophy of Auditing, Robert K. Mautz and Hussein A. Sharaf referred to the financial dependency on the client as “built-in anti-independence.” The AICPA’s Code of Professional Conduct established precepts for its members to guard against the presumption of loss of independence when performing attest services, and other entities, such as the SEC, GAO, and some state boards of public accountancy, have additional rules and regulations that attempt to identify circumstances that would indicate that the auditor has “crossed the line.”
The AICPA’s general position regarding scope of services and internal auditing services is addressed in Rule 101-03 of its ethical guidelines. Interpretation of Rule 101-03 indicates that a firm in public practice that performs attest services for a client may generally perform other nonattest services for that client as long as the CPA does not perform management functions or make management decisions. This would allow an external auditor to perform internal auditing services provided that the auditor does not act or appear to act as a member of management.
The responsibility of the client and the external auditor should be understood by both parties. Preferably, this understanding should be documented in the engagement letter, which should explicitly state that the external auditor is not an employee and does not act in a capacity equivalent to management. The auditor should not have custody of the entity’s assets, make decisions on the client’s behalf, or report to the board of directors or audit committee for management. To further reinforce the auditor’s independence, the client must designate competent management to oversee internal auditing functions. Management, not the auditor, should be responsible for internal auditing operations. The external auditor should be responsible only for performing internal auditing procedures in accordance with the terms of the engagement and reporting thereon.
But the AICPA’s position is not supported by all interested parties. In a 1995 report, “The IIA’s Perspective on Outsourcing the Internal Audit Function,” the Institute of Internal Auditors (IIA) stated that internal auditing, by its very nature, is a management function. Accordingly, the IIA has taken the position that the external auditor would not be independent if he performed this service.
As noted above, the Sarbanes-Oxley Act prohibits auditors of certain SEC registrants from performing internal auditing services for an audit client. Prior to the Sarbanes-Oxley Act, SEC rules allowed the auditor to provide limited internal auditing services for larger SEC clients. New GAO audit independence standards effective in 2003 take the position that internal auditing is a management function; therefore, CPAs doing Yellow Book audits are not allowed to provide internal auditing services for audit clients. In light of recent regulation, the question remains: Should auditors of non-SEC entities be allowed to perform internal auditing services?
NASBA Survey
To help answer that question and others, a questionnaire was developed and mailed to the 390 members of state boards listed in the 2001/2002 Committee Handbook & State Board Directory of the National Association of State Boards of Accountancy (NASBA). A total of 217 questionnaires were returned, a response rate of 55.6%. Exhibit 1 provides an overview of the respondents. Exhibit 2 contains the 15 questions that participants rated using a five-point scale, 1 meaning “strongly disagree,” 5 meaning “strongly agree.”
Responses to this survey suggest that state board members feel very strongly that CPAs performing audits of nonpublic entities should be independent, in fact and in appearance. Respondents thought (mean score of 3.49) that internal auditing is an arm of management. When asked specifically about performing internal auditing as an additional service, respondents were generally divided on the issues, including whether CPAs should be allowed to perform the services (3.07) and whether performing the services gives the appearance that the CPA is not independent (3.08). Board members (3.97) strongly believe there should be consistency between SEC and state board rules and regulations regarding providing internal auditing services. Finally, respondents mostly agreed (3.43) that, if the external auditor performs internal auditing as an additional service, this fact should be disclosed in the financial statements.
The state board members surveyed clearly feel strongly about independence. Less clear, however, is whether they feel an outright ban on nonattest services for attest clients is the answer. Respondents were split on the issue of whether or not an auditor should be allowed to provide internal auditing services. But the results suggest that most board members could agree with an auditor providing internal auditing services if certain safeguards were implemented to protect independence.
©2006 The CPA Journal. Legal Notices
Visit the new cpajournal.com.