Five Auditor Independence Issues PCAOB SAG Not Yet Addressing

My headline story yesterday was about the regulatory black hole that exists for the consulting practices of the Big Four audit firms. (The abyss exists for all of the audit firms but, as usual, we will focus here in the business of the Big Four given their influence on issuers, aka publicly listed companies.)

There are five big issues that space prevented a full discussion of yesterday and that are not on the agenda of the PCAOB Standing Advisory Group meeting this week. My hope is that regulators, policy makers and other interested parties will start talking about these issues, too, while I am in DC this week.

1)    US regulators are not enforcing existing rules —the pre- and post- Sarbanes-Oxley rules — regarding auditor independence for the US firms of the Big Four auditors who also provide consulting services for those clients.

I’ve written numerous times about independence violations only to see no visible action by the SEC or PCAOB. This is what I’ve written just since the beginning of 2012 about auditor independence issues. Many posts reference earlier warnings about the activities, especially the broker-dealer independence issues.

January 26, 2012, KPMG Nixes GE Loaned Tax Staff Engagement

February 22, 2012, Are Auditors Reporting Fraud And Illegal Acts? The SEC Knows But Isn’t Telling

December 1, 2012, Deloitte, HP And Autonomy: You Lose Some But You Win Some More, Much More Big, big story at the end of 2012 that involves all four of the Big Four audit firms and is a prime example of the growing influence  – and the threat to auditor independence – of the reestablished consulting practices in the firms. It also highlights the media confusion about the all roles audit firms are playing these days. Often they are not audit-related and yet the media often does not know for sure how to refer to the firms or their specific responsibilities and potential legal liabilities.

December 26, 2012, PwC and Thomson Reuters: Too Close For Comfort

February 1, 2013, A Summary of Writing on the “Independent” Foreclosure Reviews and the AG Mortgage Settlement

February 18, 2013, Tax Pays: HP Pays Ernst & Young Two Million To Testify

April 22, 2013, Scott London Subverted Sarbanes-Oxley: Big Four Mock Audit Partner Rotation

June 30, 2013, More Conflicts For The “Independent” Foreclosure Reviews

September 3, 2013, Broker-Dealer Audits Still Badly Broken

September 29, 2013, Pershing Square’s Bill Ackman Tells PwC, “Herbalife Is Your Problem Now”

2)    The consulting practices of the Big Four audit firms are unregulated. I explained that yesterday and New York Superintendent of Financial Services Ben Lawsky agrees. Both SEC and PCAOB leadership claimed, to Congress, that consulting activities provided to non-audit clients are outside their jurisdiction.

3)    No US regulator aggressively, transparently vets audit firm merger and acquisition activity for the US firms of the Big Four auditors to judge anti-competitive impact and compliance with auditor independence rules.

4)    Big Four firms are vigorously re-growing the consulting practices and the concerns that go with them in the last five-six years on an organic and M&A basis. Deloitte never stopped and the other three firms who sold practices between 2000-2002 started planning as soon as non-compete agreement ends were in sight. At least one firm, Deloitte, is poised to soon see consulting revenue outpace audit revenue and appointed a consulting partner to head its second largest market.

5)    The consulting/advisory practices of the Big Four audit firms are mostly now branded, marketed, and managed together with audit and tax, under one leader, per industry and overall globally, such that it’s becoming impossible for the average person to distinguish audit services from advisory.

How can audit committees, investors, media, regulators, courts and even industry professionals understand the difference? This is particularly challenging given the global nature of the firms and their service to multinationals by member firms that may all be working under different regulatory and legal constraints regarding service offerings and independence.

Just take a look at this from PwC.

Financial Services industry leader James Flanagan is responsible for both the industry group as a whole and “Assurance”. Presumably Mr Foy and Mr Ryan report to him.

This is how the industry practice is described:

PwC’s US financial services industry group is a distinctive business practice that provides audit, technical accounting, tax, regulatory, compliance, risk management, outsourcing, securities processing, payments, information risk and security, data quality, mergers and acquisitions, and other services. Our integrated knowledge enables us to help our clients design solutions that work.

Given that “assurance” is a code word for audit at PwC, is the following cross-industry practice considered “assurance” or consulting? It has its own hybrid heading under “Services” not under “Audit/Assurance” or under “Consulting”. Basically these three guys have split up the universe—Assurance, Tax and Advisory—and Mr Flanagan is also responsible for the industry vertical for all three.

I see some consulting-type services that are legally prohibited from being provided by the auditor, some that are not and some that could be part of an audit engagement. The IPO readiness service is particularly challenging to parse since the auditor cease three years, or two years for EGCs, any prohibited consulting services provided to a pre-IPO company if the firm’s opinions are included in the S-1.

I’ve also written quite a bit about how the firms market cross-border services that are a mix or audit/assurance and consulting, in and out of China, to Chinese companies.

Postscript: I have been schooled today by Scott Showalter, retired KPMG audit leader and now a professor in the accounting department at North Carolina State University. He explained to me that per the AICPA, “Assurance” is the general term and “audit” and “attestation” are subsets of “Assurance”.  He pointed me to work done by the AICPA to explain to practitioners the opportunities for CPAs to provide more services to clients over and above traditional financial statement audits. There is enormous confusion in the general business public, including amongst journalists who cover these topics, about where certain service lie on the spectrum from “attestation” to consulting.  I hope this helps.

Here’s how the AICPA explains it:

This section describes the Special Committee on Assurance Service’s conceptual framework for assurance services. It is intended to be helpful to AICPA committees, individual CPAs, and firms in identifying, defining, and delivering future assurance services. It does not have the authority of a standard issued by an AICPA senior technical committee, has not undergone the Institute’s process to establish standards, and is not part of the Code of Professional Conduct.

The framework’s primary objective is to provide a consistent view of assurance services. It provides guidelines that will enhance consistency and quality in the performance of services. It can also help establish a common public perception of the CPA’s function and value.

Assurance services evolve naturally from attestation services, which in turn evolved from audits. The roots of all three are in independent verification. However, the form and content of the services differ. The earlier services are highly structured services considered to be relevant to the greatest number of users. The newer ones are more customized and targeted services intended to be highly useful in more limited circumstances.

Even when assurance services do not deal with traditional accounting data, they are consistent with the concept of certified public accounting. As the AICPA has stated (BL921.06-.07):

In the practice of public accounting CPAs bring competence of professional quality, independence, and a strong concern for the usefulness of information and advice they provide…. The professional quality of their services is based upon experience and the requirements for the CPA certificate – education and examination – and upon the ethical and technical standards established and enforced by their profession.

Assurance services are expected to form a platform for the future evolution of the profession. This framework is purposely broad so that it does not inhibit the growth and usefulness of the services in circumstances that cannot be foreseen today. It provides focus so that users benefit from the most valuable traits of CPAs and aspects of today’s CPA services.

Definition of Assurance Services

Assurance services are independent professional services that improve the quality of information, or its context, for decision makers.

Implicit in this definition is the idea that people use assurance services when they have to make decisions. The services are intended to improve the information used in the decision process. Presumably, better information should lead to better decisions.

Rational decisions are made based on information. Assurance services might involve any type of information. Information can be financial or nonfinancial. It can be about discrete phenomena or about processes or systems (such as internal control or decision models). It can be direct (such as information about a product) or indirect (such as information about someone else’s assertion about a product). It can be internal or external to the decision maker. The goal of assurance services is information improvement, not the issuance of a report on it (though there might be a report).

The term assurance implies to some a form of report in which the practitioner provides an independent conclusion about someone else’s information. However, because this view focuses on appearance and is unnecessarily constricting, it is not incorporated in the definition of assurance services. Requiring a written report, for example, is unwieldy in many situations, such as on data in electronic format. It is the service itself that provides value, not the report, although a report is one way to demonstrate value. Trying to fit a range of services into a predetermined presentation or reporting format would stifle the growth of services and would not be responsive to the needs of decision makers.

Assurance services help people make better decisions by improving information available to them. To consider the ramifications and limitations of this definition consider how decisions are made. Events are captured, summarized, refined, and used to make decisions. Assurance services can:

• Capture information. Assurance services can capture information by using existing or improved measurement tools.
• Improve information reliability. Raw information is refined into reliable information. This is the scope of the attestation standards; improving the reliability of information. This type of service is independent of the decision maker. Any raw information can be refined, regardless of whether it is used for decision making at all.
• Improve decision-making. Services can improve decision making by enhancing not only the reliability of information, but also its relevance and availability for the decision maker. Decision making also can be improved by improving the context, such as decision models, used by the decision maker. This facet of assurance services differs from existing attestation models.

Independence

Users rely on the CPA’s independence. They derive value from the fact that CPA has no interest in the information other than its usefulness. Accordingly, independence has been, and will continue to be, the foundation on which the assurance function is based. The concept of independence for assurance services is consistent with, but framed differently from, its counterpart for audit or attestation services.

Assurance independence is an absence of interests that create an unacceptable risk of material bias with respect to the quality or context of information that is the subject of an assurance engagement.

There is no definition of independence governing audits. The concept currently applied is based on independence rules in the code of conduct and a passage in GAAS (SAS No. 1, AU220). The definition of independence as it applies to assurance engagements has been extrapolated from the fundamental assumptions inferred from the authoritative statements on audit independence.

Under this concept of independence, the practitioner considers any interests that could cause bias with respect to the information. There are two kinds of interests that could damage a CPA’s independence: economic interests and psychic interests. Ownership of an auditee’s stock is an economic interest. A brother who is the CEO of an auditee is a psychic interest. However, a single circumstance can have characteristics of both categories. For example, an assurer who makes managerial decisions for a client has both a psychic interest and an economic interest – continued employment – that could affect objectivity.

Information can be independently developed, assembled, and delivered only when the assurer has no interest in the supplied information that would create an unacceptable risk of material bias. Merely preparing information does not create an interest inconsistent with desiring its accuracy or being objective. The independent preparer of information would remain equally independent before, during, and after having prepared the information; parties interested in the quality of the information would benefit from its independent preparation (assuming the assurer’s competence, integrity, and objectivity and the user’s need for the information).

The concept of professional services encompasses the application of professional judgment, which is the CPA’s stock-in-trade. This judgment, along with independence, is a cardinal value added by a CPA’s participation. While advances in information technology can speed the accumulation or analysis of data, technology cannot replace the practitioner’s professional judgment. This judgment distinguishes assurance services from mere summarizing of data. Accordingly, an engagement to simply process data without applying judgment in its preparation or presentation is not an assurance engagement.

In providing a professional service, the CPA is bound by rule 201 of the AICPA Code of Professional Conduct. Rule 201 requires that practitioners comply with the following standards in all engagements:

Professional competence. Undertake only those professional services that the member or member’s firm can reasonably expect to be completed with professional competence.

Due professional care. Exercise due professional care in the performance of professional services.

Planning and supervision. Adequately plan and supervise the performance of professional services.

Sufficient relevant data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.

The practitioner applies professional judgment to the information on which the service is performed. The procedures applied are those appropriate for the specific level of service he or she is engaged to perform. They might or might not involve testing of assertions.

Some assurance engagements involve attestation or other services that are already covered by detailed performance and reporting standards, although many don’t. When performing an assurance engagement, the practitioner should consider whether the measurement criteria to be used are appropriate for the purpose. GAAS requires the use of GAAP (or another comprehensive basis of accounting “OCBOA”) as measurement criteria. The attestation standards require that measurement criteria be established in a certain manner or be adequately described in the presentation. Other assurance engagements are more flexible in their use of criteria. (Certain standards, such as the Government Auditing Standards for audits of certain governmental entities, call for the use of specified criteria.)

The practitioner can be satisfied that the measurement criteria are appropriate in the circumstances by involving decision makers in the selection. Decision makers preferably are consulted before the engagement to make sure the criteria are appropriate in the circumstances. Ideally, decision makers also provide feedback to the practitioner regarding the efficacy of the engagement and their satisfaction with the output.

There are no specific report forms for assurance engagements, unlike audit and other attestation engagements. However, communication of the engagement results is a characteristic of assurance services. Users can obtain assurance from the practitioner’s service only if they are aware of his or her involvement. Accordingly, there must be some form of communication by the practitioner. The communication need not be a formal or written report. The communication may be oral or otherwise indicated through the practitioner’s involvement.

Improving the Quality of Information or Its Context

The improvement in information quality comes about as a result of the practitioner’s involvement in the engagement. It does not necessarily mean that information subject to the practitioner’s service is different from what it would look like if there were no assurance engagement. The application of professional judgment provides assurance to users that would not exist without the practitioner’s involvement. This is similar to the situation in which an auditor issues an unqualified report on financial statements, but does not actually draft them or propose adjustments to them.

The term quality explicitly identifies the key driver of the service. The term encompasses the concept of decision usefulness. Assurance services can provide confidence about either of two aspects of the information (The dichotomy used here differs somewhat from the description in Statement of Financial Accounting Concepts No. 2 to simplify the discussion.):

• Reliability, which includes representational faithfulness, neutrality, and consistency among periods
• Relevance, which includes understandability, comparability with other entities, usability, and completeness.

An assurance service can add confidence about reliability, relevance, or a combination of them. In some cases, reliability may be sacrificed for relevance (recognizing that some will argue that data that are unreliable cannot be relevant). Many people think that is a bad tradeoff, but the decision is essentially a cost/benefit decision for each individual user. A service that sacrifices some reliability for increased relevance is by definition an assurance service because of the relevance improvement. Users can decide if the overall quality of the information is improved given the intended use. If so, the service will be purchased; if not, it won’t.

Context relates to the information’s relevance to the decision-maker. It includes the decision process and the format in which the information is presented. Although related to relevance, it is not the same because context doesn’t affect the information itself but, rather, how it is used. For example, sorting disaggregated data changes neither their relevance or reliability, but it might improve the context in which they are used.

Decision makers

Decision makers may be, but are not necessarily, clients. Assurance services are intended to provide a benefit to the decision maker. The decision-maker is, accordingly, featured prominently in the services’ definition. This construction differs from the technical descriptions of audit, attestation, compilation, review, and consulting services, which refer, instead, to the practitioner’s output. This point is a critical recognition of the importance of a customer focus.

Although it’s not intrinsic to the definition of assurance services, there are, as a general rule, three parties involved in an assurance engagement. The engagements are generally provided when there is an oversight or accountability relationship. The practitioner is called upon to provide assurance that helps one party make a decision involving that accountability or oversight of the other.

In some cases, two of the three “parties” might be employed by the same entity. For example, the board of directors has an oversight responsibility for the enterprise’s operating units. It might engage the practitioner to provide an assurance service involving measurement of performance of those operating units or for assurance regarding the quality of the information systems in use in the company. In those cases there are three parties to the engagement (the practitioner, the board of directors, and the operating or support unit) although it might not appear so at first glance.

The third-party interest is a principal reason for the need for independence in assurance services. When there are two parties with conflicting interests (such as a call by one for accountability from the other), it is important that the CPA have no interest in the information other than its quality and context.

The Public Interest

There are no laws or regulations that reserve to CPAs the provision of assurance services (beyond audits and, in some cases, compilations or reviews of financial statements). Users turn to CPAs for assurance services because of their reputation for integrity, objectivity, due professional care, and their genuine interest in serving the public. These are the hallmarks of the profession. Assurance services should be consistent with acceptable professional behavior for CPAs.

The AICPA Code of Professional Conduct (ET57.03) advises that, “The practitioner should practice in a firm that has in place internal quality-control procedures to ensure that services are competently delivered and adequately supervised.” A commitment to quality control helps permit the CPA to assume new responsibilities seemingly unrelated to the traditional core of accounting and auditing.

Building quality into the design of assurance services recognizes the public interest. To continuously improve the practice, CPA firms can apply total quality management techniques, including feedback from users, to enhance assurance services.

Distinguishing Assurance and Other Services

Attestation Services
An attestation service is defined as:

an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. (SSAE No. 1, AT100.01)

Assurance services encompass attestation services. That is, all attestation (and audit) services are assurance services. The overriding principles and any rules that derive from them also apply to attestation services. However, additional detailed standards apply to attestation services. They are contained in the statements on standards for attestation services. There are no conflicts between the SSAEs and the conceptual framework discussed here, although additional requirements apply to attestation engagements.

The following requirements apply to attestation services, but do not apply to other (nonattestation) assurance services:

• Attestation services require written assertions and a practitioner’s written report.
• Attestation services require the formal establishment of measurement criteria or their description in the presentation.
• The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures.

Compilation Services
Compilation services are defined as:

presenting in the form of financial statements information that is the representation of management (owners) without undertaking to express any assurance on the statements. (SSARS No. 1, AR100.04)

A compilation improves the quality of information by displaying it in a GAAP (or OCBOA) format and the practitioner’s identification of obvious errors. Accordingly, it falls within the definition of an assurance service despite the fact that no assurance is explicit in the practitioner’s report.

Consulting Service
Professional standards define consulting services as:

professional services that employ the practitioner’s technical skills, education, observations, experiences, and knowledge of the analytical approach and procedures used in a consulting engagement. [Those procedures may involve determining client objectives, fact-finding, definition of problems or opportunities, evaluation of alternatives, formulation of proposed action, communication of results, implementation, and follow-up.] (SSCS No. 1, CS100.05)

Assurance does not encompass consulting services. There are often similarities between assurance and consulting services because they are delivered using a similar body of knowledge and skills. What differentiates the two services is the context in which the knowledge and skills are deployed.

In an assurance engagement the primary purpose of the service is to improve the quality or context of information. Although information quality or context might be improved in a consulting engagement, that is not its primary purpose. For example, in an engagement to design and install a computer application, the primary purpose is to install the application even though the resulting information may ultimately be improved. Thus, it is a consulting engagement.

The difference between consulting and assurance services is based on the goal of the engagement: consulting services focus on outcomes; assurance services focus on decision-makers and the information they use. Consulting services are designed to improve the client’s condition directly. Assurance services attempt to help decision makers (who might not be clients) arrive at optimum decisions. An assurance service is intended to improve the decision maker’s condition only indirectly (that is, through the use of high-quality information for decision making). The provision of assurance services involves work that often results in the practitioner’s forming recommendations for improvement, for example, in an entity’s processes. Attestation and other assurance services generally result in such ancillary recommendations.

In a consulting service the practitioner develops findings, conclusions, and recommendations presented. It is generally a two-party arrangement: the CPA and the client. Assurance services are an extension of the audit/attestation tradition. Accordingly, they are generally provided in the context of the CPA’s intermediation between two parties with noncongruent interests. The two parties may, however, work for the same entity (for example, operating and financial personnel).

Distinguishing assurance and consulting services is not always easy; similar goals can be achieved through either approach. For example, a client that wants information about the quality of its internal controls could engage a CPA to provide a critique with suggestions for improvement under the consulting standards or provide a report on internal control effectiveness under the attestation standards.

The following chart compares the types of services:

	Attestation	Assurance	Consulting
Result	Written conclusion about the reliability of the written assertions of another party.	Better information for decision-makers. Recommendations might be a byproduct.	Recommendations based on the objectives of the engagement.
Objective	Reliable information.	Better decision making.	Better outcomes.
Parties to the engagement	Not specified, but generally three (the third party is usually external); CPA generally paid by the preparer.	Generally three (although the other two might be employed by the same entity); CPA paid by the preparer or user.	Generally two; CPA paid by the user.
Independence	Required by standards.	Included in definition.	Not required.
Substance of CPA output	Conformity with established or stated criteria.	Assurance about reliability or relevance of information. Criteria might be established, stated, or unstated.	Recommendations; not measured against formal criteria.
Form of CPA output	Written.	Some form of communication.	Written or oral.
Critical information developed by	Asserter.	Either CPA or asserter.	CPA.
Information content determined by	Preparer (client).	Preparer, CPA, or user.	CPA.
Level of assurance	Examination, review, or agreed-upon procedures.	Flexible, for example, it might be compilation level, explicit assurance about usefulness of the information for intended purpose, or implicit from the CPA’s involvement.	No explicit assurance.

Following is a graphic representation of the relationship among the professional services in the universe of CPA services. It shows that the boundary between assurance and consulting services is indistinct. The relative scales do not imply the size or importance of the practices or opportunities. The shaded area represents those services on the fringes that, if structured to meet one goal, are assurance services and, if structured to meet a different one, are consulting.