CPAs who provide attestation services need to check out the new code of professional conduct. Soon. Seriously, check it out. Before the end of the year.
Actually you should check out the Code of Professional Conduct in the next four or six weeks so you can make some changes to your engagement letters.
Yesterday I worked through the document in-depth for the first time. Will go into more detail on the code later.
A few highlights follow. Just a few.
Update: See added comment on the 12/15/14 effective date.
Identify threats and implement safeguards, then document doing both
Before the attestation engagement starts, an accountant needs to identify circumstances that are a threat to complying with the code. Threats fall into the categories of
- adverse interest,
- management participation,
- self review, and
- undue influence.
If threats are present in any of those areas, the threats must be identified. The severity of the threat needs to be evaluated. If necessary (that qualifier is a conversation by itself), the accountant must put in place safeguards that reduce the threat to an acceptable level (another full conversation).
Then that assessment of threats, evaluation, and safeguard implementation needs to be documented in the workpapers. If the threat is not reduced to an acceptable level, there is a violation of whatever the requirement may be, whether it is independence or conflict of interest. If the documentation is lacking, that is a failure of the “compliance with standards rule” section of the code.
That means if you didn’t document disposition of a threat to independence, you maintain your independence. You would have a violation of the requirement to comply with the code. That is a deficiency in your audit work, but would not compromise independence.
There needs to be more documentation in the workpapers.
This is a biggie. I’ll give the briefest thumbnail description, so you can understand how important it is to dive into the code.
If there are any non-attest services involved in the engagement, it is necessary for a member of management to oversee the services. This person must have suitable skill, knowledge, and/or experience to have a sufficient understand of the services to be performed so that the person can oversee them.
Check out ET section 1.295.040.01. (Yeah, yeah, sounds like a phone number in Europe or something, just like the ASC.)
Accountants will need to document why they believe that person has the suitable skill / knowledge / experience.
Trust me, you’ll be hearing about SKE a lot in the next few years. You will be talking about it in your next peer review.
What are non-attest services?
The code explicitly says that drafting financial statements, preparing cash-to-accrual adjustments, and reconciliations are non-attest services. Check out ET 1.295.01.06.
That means if you are drafting financials then you must identify the threat, identify and implement safeguards, and document doing so.
To double down on the dangers of drafting financial statements, ET 1.295.030.02j says management functions include
Accepting responsibility for the preparation or fair presentation of the attest client’s financial statements in accordance with applicable financial reporting framework
If you step into that function, or one of the other explicitly listed management functions, independence is impaired. No safeguards can reduce the risk.
In 25 years of working with non-profit-organizations, I know of exactly two, count ‘em 2, charities that could draft the basic financial statements. Neither of those organizations took on the notes. In four plus years working in two different Big 4 firms (eh, Big 8 then), I wasn’t aware of any clients who drafted their own financials, including publicly traded companies.
That makes two clients in four firms over 30 years who drafted their own financials (sans notes).
My guess is exquisitely few organizations outside the Single Audit and SEC registrant world draft their own financials.
Reviews and Comps
The code doesn’t just apply to audits. Those requirements to address and document threats and safeguards apply to all attestation engagements, including your reviews and comps.
As a further wild guess, the number of review and comp clients that prepare their own financials is smaller than the number of audit clients who can do so.
Picture what the conversation might look like if you have a chat in your next peer review about missing the above requirements. It won’t be pretty and you won’t like the outcome.
If you haven’t done so, it’s time to dig into the new code and figure out what changes you may need to make in your firm to be compliant.
Update: Gary Zeune mentioned it might be worth talking about the effective date. Great idea. Here is a bit more info…
Effective 12/15/14, which affects your year-end work
The effective date is December 15, 2014.
That has several implications.
First, this is not optional. You and I don’t have a choice in the matter.
I know you don’t like it and I hear that grumbling out there. Go ahead and gripe again. Get it out of your system.
Done? Okay. The new code still goes into effect about 60 days from now.
Second, this will apply to all of your year-end work. Remember all those audits and reviews and compilations with 12/31/14 balance sheet dates? You must address threats against your independence and implement your safeguards for 12/31 work before you start the work. You must document the threats and safeguards in your workpapers.