AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS
DIVISION OF PROFESSIONAL ETHICS
PROFESSIONAL ETHICS EXECUTIVE COMMITTEE
OPEN MEETING AGENDA
NOVEMBER 9-10, 2009
HOTEL MONACO, SAN FRANCISCO
November 9, 2009
1. Welcome and Introductions (9:00 a.m. – 9:20 a.m.)
Mr. Dakdduk will welcome the new members. Committee members will be asked to
2. Interpretation 101-3: Establishing or Maintaining Internal Control (9:20 a.m. –
Ms. Snyder will discuss a potential clarification to Interpretation 101-3 for the
Committee’s discussion and feedback.
Appendix 2 contains background information.
BREAK 10:30 a.m. – 10:45 am.
3. Confidential Client Information (10:45 a.m. to 11:30 a.m.)
Mr. Curry, Chair of the Rule 301 Task Force, and staff held a conference call with
members from academia to discuss their concerns with the proposed Rule 301 guidance.
Mr. Curry will provide an overview of the issues noted during this call. The Committee’s
feedback is welcomed.
4. IFAC Update (11:30 a.m. – noon)
Mr. Dakdduk and Ms. Snyder will update the Committee on the IFAC International
Ethics Standards Board for Accountants’ (IESBA) October 2009 meeting in Tokyo.
LUNCH BREAK 12:00 p.m. – 1:00 p.m.
5. Client Affiliate Task Force (1:00 p.m. – 1:30 p.m.)
Mr. Lynch will report on the activities of Client Affiliate Task Force.
6. Codification Task Force (1:30 p.m. – 2:45 p.m.)
Ms. Allen will report on the Codification Task Force’s activities since the last meeting.
The Committee’s feedback is appreciated.
BREAK 2:45 p.m. – 3:00 p.m.
7. Inadvertent Violations (2:45 p.m. – 3:15 p.m.)
Ms. Goria will report on the activities of the Inadvertent Violations Task Force and solicit
guidance from the Committee on the Task Force’s direction.
8. NASBA Annual Meeting (3:15 p.m. – 3:45 p.m.)
Mr. Hansen and Mr. Dakdduk will report on the discussions held at the annual NASBA
meeting. In addition, Mr. Hansen and Ms. Snyder will update the Committee on any
feedback received on the CPA Firm Name white paper.
9. IFRS/XBRL Task Force (3:45 p.m. – 4:15 p.m.)
Mr. Bochanski will present the IFRS/XBRL Task Force’s proposed approach for the
Appendix 9 summarizes the Task Force’s proposed approach.
9. IFAC Convergence - Members In Business and Industry Task Force (4:15 p.m. –
Mr. Steiger will report on the Task Force’s activities to date.
11. Professional Ethics Executive Committee Agenda: October 2007 – October 2010
(4:45 p.m. – 5:00 p.m.)
The agenda was updated to reflect changes to the composition of certain Task Forces. In
addition, Mr. Dakdduk will discuss a new project he would like the Committee to
consider adding to the agenda.
Appendix 11 is on the agenda for the Committee to approve the changes made to the
12. Minutes of July 30-31, 2009 Professional Ethics Executive Committee Open Meeting
The open meeting minutes were approved by the Committee’s via email and are available
on the Ethics Team webpage.
Date: October 31, 2009
To: The Professional Ethics Executive Committee
From: Lisa Snyder, Director
Subject: Interpretation 101-3: Establishing and Maintaining Internal Control
In its comment letter to the Accounting and Review Services Committee (ARSC), dated July 31, 2009, regarding ARSC’s “Proposed Statement on Standards for Accounting and Review
Services” (Proposed SSARS), the PEEC noted that the proposed definition of internal control 1services scopes in certain nonattest services that currently do not impair independence under Interpretation 101-3, Performance of Nonattest Services. Accordingly the PEEC recommended
“…the definition and discussion of internal control services in the proposed SSARS (i.e., paragraphs 16 through 18 of the Proposed SSARS: Compilation of Financial Statements; and paragraphs 26 through 28 of the Proposed SSARS: Review of Financial Statements) be revised to eliminate any sweeping statement that could result in permissible services being characterized as impairing independence. A direct reference to Interpretation 101-3 would also help to clarify that impairment decisions involving nonattest services should be made in the context of the Interpretation.”
After considering the PEEC’s comment letter concerning the aforementioned issue, the ARSC has preliminarily agreed to revise the definition to make it consistent with Interpretation 101-3. Specifically, the revised definition refers to Interpretation 101-3, as follows:
An internal control service is a nonattest service performed by the accountant to 4establish or maintain internal controls, including performing ongoing
monitoring activities for a client. Pursuant to Interpretation 101-3, Performance
of nonattest services of Section 101 of the AICPA Code of Professional Conduct,
establishing or maintaining internal controls for a client, impairs the
accountant’s independence. If pursuant to Interpretation 101-3 the performance
of a nonattest service does not impair the accountant’s independence, the
nonattest service is not an internal control service.
1 The proposed SSARS stated that the performance of internal control services would impair independence and
defines the term, in part, as follows:
An internal control service is a nonattest service, separate from the compilation engagement, performed by
the accountant on behalf of management to design or operate any aspect of internal control over financial
reporting. If the objective of the service is to assist the client in preventing or detecting and correcting
misstatements in the financial statements or the financial information, then that service is an internal
4 The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) defines internal control as a process effected by management (or those
charged with governance and other personnel) designed to provide reasonable
assurance about the achievement of the entity’s objectives. Internal control
consists of five interrelated components: (1) Control environment sets the tone
of an organization, influencing the control consciousness of its people. It is the
foundation for all other components of internal control, providing discipline
and structure; (2) Entity’s risk assessment is the entity’s identification and
analysis of relevant risks to achievement of its objectives, forming a basis for
determining how the risks should be managed; (3) Information and
communication systems support the identification, capture, and exchange of
information in a form and timeframe that enables people to carry out their
responsibilities; (4) Control activities are the policies and procedures that help
ensure that management directives are carried out; and (5) Monitoring is a
process that assesses the quality of internal control performance over time.
While this definition would be consistent with the independence guidance under Interpretation 101-3 (i.e., establishing or maintaining internal controls for a client impairs independence under the “General Activities”), it has also raised questions as to what is meant by establishing or fn 9maintaining internal controls, including performing ongoing monitoring activites for a client.
It has been brought to Staff’s attention that some perceive an inconsistency in Interpretation 101-
3 because certain bookkeeping services and other nonattest services that are permitted under Interpretation 101-3 could be viewed as “maintaining internal controls” for the client. For example, bookkeeping is recognized to be part of the COSO information and communication element, additionally some activities such as performing calculations (e.g. tax provision, leases, LIFO reserve), maintaining ledgers (e.g. fixed asset ledger), performing reconciliations and identifying adjusting journal entries have been viewed as maintaining the client’s internal control regardless of whether management has met the general requirements of the Interpretation (e.g., oversees the service, reviews and approves the work and makes all significant judgments and decisions).
Staff does not believe it was the Committee’s intent to preclude bookkeeping and other nonattest services for the client notwithstanding the fact that these activities would be considered part of internal control under the COSO framework. Rather, it appears the language establish or
maintain internal controls, including performing ongoing monitoring activities was taken from
COSO and used to describe an activity that would be a responsibility of management and therefore impair independence.
fn 9 Monitoring can be accomplished through ongoing activities, separate evaluations, or a combination of both. Ongoing monitoring activities
are the procedures designed to assess the quality of internal control performance over time, and is built into the normal recurring activities of an entity; these activities include regular management and supervisory activities. Separate evaluations focus on the continued effectiveness of a client's internal control. A member's independence would not be impaired by the performance of separate evaluations of the effectiveness of a client's internal control, including separate evaluations of the client's ongoing monitoring activities . [Footnote added, effective July 31, 2007, by the Professional Ethics Executive Committee.]
The Committee is asked to discuss this issue and consider possible ways to clarify the intent of this general activity so that it is consistent with the various activities permitted under Interpretation 101-3.
In discussing this issue, the Committee may wish to consider the following possible revisions to the general activity:
Conform general activity to language used in IFAC Code
The IFAC Code (i.e., “Management Responsibilities” and “Internal Audit Assistance”) states that “taking responsibility for designing, implementing and maintaining internal control” would
involve assuming management responsibilities and therefore impair independence. The Committee is asked to consider whether the following revision to adopt the IFAC language would help to clarify the general activity. An added benefit of this approach is that it would converge the AICPA guidance with that of IFAC:
Taking responsibility for establishing or maintaining internal controls, including fn 9 for a client. performing ongoing monitoring activities
In considering this revision, the Committee should also consider whether additional clarification such as the following would be helpful: Assisting in the establishment or maintenance of specific
controls would not impair independence in circumstances where the client continues to have responsibility for establishing and maintaining internal controls.
Clarify prohibition only applies when general requirements are not met
Another possible revision would be to clarify that the general activity is not meant to capture those activities where management oversees the service, makes all decisions and accepts responsibility for the service (i.e., meets the general requirements set forth in the Interpretation). For example, a possible revision could be as follows:
Establishing or maintaining internal controls, including performing ongoing monitoring fn 9activities for a client, unless the general requirements of this Interpretation are met
including the client makes all management decisions, oversees the service and accepts
responsibility for the results of the service.
Some may view these proposed revisions as “lowering the threshold” from existing language and therefore, permit members to perform certain aspects of internal control otherwise prohibited by this general activity. The Committee is asked to discuss whether it believes this may be the case. The Committee may also wish to review relevant guidance and terminology issued by IFAC, COSO and PEEC as provided below. In addition, the Committee should consider revising the existing guidance under “Internal Audit Assistance Services” of Interpretation 101-3, including
the following bullet under activities that would impair independence:
; Performing ongoing monitoring activities or control activities (for example, reviewing loan
originations as part of the client's approval process or reviewing customer credit information as
part of the customer's sales authorization process) that affect the execution of transactions or
ensure that transactions are properly executed, accounted for, or both, and performing routine
activities in connection with the client's operating or production processes that are equivalent to
those of an ongoing compliance or quality control function
The Committee’s consideration of this matter is appreciated.
The IFAC Code (i.e., “Internal Audit Assistance”) states, in part, that:
290.197 Examples of internal audit services that involve assuming management responsibilities include:
(a) Setting internal audit policies or the strategic direction of internal audit activities;
(b) Directing and taking responsibility for the actions of the entity’s internal audit employees;
(c) Deciding which recommendations resulting from internal audit activities shall be
(d) Reporting the results of the internal audit activities to those charged with governance on
behalf of management;
(e) Performing procedures that form part of the internal control, such as reviewing and
approving changes to employee data access privileges;
(f) Taking responsibility for designing, implementing and maintaining internal control;
(g) Performing outsourced internal audit services, comprising all or a substantial portion of
the internal audit function, where the firm is responsible for determining the scope of the
internal audit work and may have responsibility for one or more of the matters noted in
290.198 To avoid assuming a management responsibility, the firm shall only provide internal audit services to an audit client if it is satisfied that:
(a) The client designates an appropriate and competent resource, preferably within senior
management, to be responsible at all times for internal audit activities and to
acknowledge responsibility for designing, implementing, and maintaining internal control;
(b) The client’s management or those charged with governance reviews, assesses and
approves the scope, risk and frequency of the internal audit services;
(c) The client’s management evaluates the adequacy of the internal audit services and the
findings resulting from their performance;
(d) The client’s management evaluates and determines which recommendations resulting
from internal audit services to implement and manages the implementation process; and
(e) The client’s management reports to those charged with governance the significant
findings and recommendations resulting from the internal audit services.
The IFAC Code (i.e., “Management Responsibilities”) states, in part, that:
290.163 Whether an activity is a management responsibility depends on the circumstances and requires the exercise of judgment. Examples of activities that would generally be considered a management responsibility include:
• Setting policies and strategic direction;
• Directing and taking responsibility for the actions of the entity’s employees;
• Authorizing transactions;
• Deciding which recommendations of the firm or other third parties to implement; • Taking responsibility for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework; and
• Taking responsibility for designing, implementing and maintaining internal control.
290.164 Activities that are routine and administrative, or involve matters that are insignificant, generally are deemed not to be a management responsibility. For example, executing an insignificant transaction that has been authorized by management or monitoring the dates for filing statutory returns and advising an audit client of those dates is deemed not to be a management responsibility. Further, providing advice and recommendations to assist management in discharging its responsibilities is not assuming a management responsibility.
290.165 If a firm were to assume a management responsibility for an audit client, the threats created would be so significant that no safeguards could reduce the threats to an acceptable level. For example, deciding which recommendations of the firm to implement will create self-review and self-interest threats. Further, assuming a management responsibility creates a familiarity threat because the firm becomes too closely aligned with the views and interests of management. Therefore, the firm shall not assume a management responsibility for an audit client.
290.166 To avoid the risk of assuming a management responsibility when providing nonassurance services to an audit client, the firm shall be satisfied that a member of
management is responsible for making the significant judgments and decisions that are the proper responsibility of management, evaluating the results of the service and accepting responsibility for the actions to be taken arising from the results of the service. This reduces
the risk of the firm inadvertently making any significant judgments or decisions on behalf of management. The risk is further reduced when the firm gives the client the opportunity to make judgments and decisions based on an objective and transparent analysis and presentation of the issues.
Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated with the management process. Two of these components are: Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Monitoring
Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in
performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
AICPA Code: Interpretation 101-3 – Internal Audit Services (see AICPA Code) -Basis for
Conclusions: Internal Audit Assistance Services
45. The Exposure Draft proposed that the guidance in Interpretation 101-13, Extended Audit
Services , be moved to the Interpretation and that Ethics ruling no. 103, Attest Reports on
Internal Controls and Ethics Ruling No. 104, Operational Auditing Services, also be
incorporated into the Interpretation. Guidance in Ethics Ruling No. 105, Frequency of
Performance of Extended Audit Procedures, was determined to be unnecessary and proposed for
46. By incorporating Interpretation 101-13 and related guidance into the Interpretation, the new documentation requirement and the obligation to assess the client's ability and willingness to oversee the engagement would also apply to internal audit assistance services. Further, other authoritative bodies' rules incorporated into the proposed rule by reference, would also apply where appropriate.
47. The Exposure Draft also proposed clarifying the guidance on internal audit assistance services. Interpretation 101-13 has always precluded members from providing such services when the client delegates or “outsources” responsibility and accountability for managing part or
its entire internal audit function to the member because this would result in the member acting in a capacity equivalent to that of client management, which is prohibited. To emphasize this, the proposal included the following statement; “...any outsourcing of the internal audit function to
the member whereby the member in effect manages the internal audit activities of the client would impair independence.”
48. To avoid redundancies when incorporating internal audit assistance rules into the Interpretation, the Exposure Draft also proposed deleting references to the prohibited activities in Interpretation 101-13 that were already reflected in the Interpretation.
49. The Exposure Draft also clarified that procedures considered to be extensions of the member's audit scope (i.e., applied in the audit of the client's financial statements) and engagements performed under attestation engagements would not be considered internal audit assistance for purposes of the Interpretation (i.e., they are attest rather than nonattest services and are therefore not subject to this rule).
50. Comments on proposed revisions to the internal audit services rules were mixed. Some respondents believed that the AICPA's rule should be as restrictive as the rules of the SEC and the GAO, both of which largely ban internal audit assistance services altogether. Among the reasons respondents believed that the services should be considered to impair independence is the notion that such services constitute the performance by the member of a management function. The Committee agreed that such services, if not structured appropriately, have the
potential to cause the member to undertake management functions. For that reason, the revised guidance is aimed at preventing members from undertaking management functions. It repeats the general requirements in the Interpretation to ensure that client management, not the member, will perform all tasks and assume all responsibilities that are rightfully those of client management. Another reason cited was the belief that rendering internal audit assistance services causes the member to participate in the client's internal control system. The Committee agreed that independence would be considered to be impaired if the member became part of the client's internal control system. For that reason, the guidance in the Interpretation is aimed at preventing members from becoming a part of the client's internal control system. It provides that members may not perform ongoing monitoring or control activities that affect the execution of transactions or ensure that transactions are properly executed, accounted for, or both. Members also may not perform tasks that are equivalent to those of an ongoing compliance or quality control function in connection with the client's operating or production processes, regardless of how routine the tasks may be. The Committee concluded that these safeguards are appropriate in protecting a member's independence when providing internal audit assistance services.
51. The Committee also discussed the requirement in the Interpretation that client management designate a competent employee to be responsible for the internal audit function. The Committee considered whether a basic understanding of internal audit activities would be sufficient to meet this requirement or whether in-depth knowledge and expertise of internal auditing would be required. For example, the Committee considered whether an employee with a public accounting (external audit) background could be considered competent for this purpose or whether the employee should be required to have substantial internal auditing expertise. The Committee agreed that the key is that the employee's understanding of internal audit activities should be sufficient to enable him or her to oversee the services to be performed by the member in accordance with the requirements of the Interpretation. Accordingly, in this example, if the employee's public accounting experience provides him or her with the basis upon which to do that, he or she could be considered to be competent for purposes of overseeing an internal audit assistance services engagement. Whether an in-depth knowledge of internal auditing would be required would depend on the facts and circumstances (e.g., the complexity of the organization). Further, the Committee recognized that the designated competent employee, rather than client management, will likely be the one to carry out the safeguards described in the second, third, and fourth bullets in the Internal Audit Assistance Services section of the Interpretation. The Committee believes this is appropriate and consistent with the employee assuming responsibility for the client's internal audit function as prescribed by the safeguard in the first bullet. [See Addendum paragraph 56]
59. Establish and maintain internal controls
The Committee agreed to adopt revisions to the interpretation to clarify that establishing or maintaining controls, including performing ongoing monitoring activities for a client, would impair independence if performed by a member. Specifically, the Committee agreed that it would be more appropriate to classify General Requirement 2e (requiring that the client must agree to establish and maintain internal controls) under the interpretation’s “General Activities”
rather than a “client responsibility.” Accordingly, General Requirement 2e was deleted and the
following prohibition was added under General Activities: “Establishing or maintaining internal