25 Jun Spotlight on auditor independence and hosting arrangements
With Independence Day coming up, it’s a good time to check up on auditor independence issues. This is especially important in 2018. Why? New rules go into effect this fall that may warrant changes to the services provided by your audit firm. If you discover potential issues now, there’s still plenty of time to take corrective action before next year’s audit begins.
Independence is one of the most important requirements for audit firms. It’s why investors and lenders trust CPAs to provide unbiased opinions about the presentation of a company’s financial results. The AICPA and the Securities and Exchange Commission (SEC) have rules regarding auditor independence. Even the U.S. Department of Labor has issued independence guidance for auditors of employee benefit plans.
The AICPA specifically goes to great lengths to explain how auditing firms can maintain their independence from the companies they audit. In short, auditors can’t provide any services for an audit client that would normally fall to management to complete. Auditors also can’t engage in any relationships with their clients that would compromise their objectivity, require them to audit their own work, or result in self-dealing, a conflict of interest, or advocacy.
Independence is a matter of professional judgment, but it’s something that accountants take seriously. A firm that violates the independence rules calls into question the accuracy and integrity of its client’s financial statement.
Today, some businesses have chosen to host their company’s data with their audit firm. In response, the AICPA’s Professional Ethics Executive Committee announced a change to the profession’s independence rules. As of September 1, 2018, to maintain independence, auditors can’t perform any of the following services for their audit clients:
- Serve as the sole host of a client’s financial or nonfinancial records.
- Function as the primary custodian of a client’s data, meaning that a company must access the data in the CPA’s possession to possess a complete set of records.
- Provide business continuity and disaster recovery support services.
Not all custody or control of a client’s records results in hosting services, however. The new rule narrowly interprets hosting services to mean the audit firm has accepted responsibility for maintaining internal control over data an audit client uses to run the business. Accepting responsibility to perform a management function explicitly compromises auditor independence.
Finding a host with the most
Is your audit firm responsible for managing your company’s data? If so, it may be time for a change. Data migration isn’t necessarily time consuming, but it may take time to find a new hosting company with the right balance of security and services to meet your data storage and access needs. Contact us to evaluate your hosting arrangement and, if necessary, identify an alternate provider to stay in compliance with the AICPA independence rules.