PwC is generally in agreement with most of the proposals in the exposure draft and provides some observations that the Firm believes would improve the proposal. With respect to the proposed definition of "confidential client information" in ET Section 92, as well as the proposed revisions to Ethics Ruling No. 2, "Distribution of Client Information to Trade Associations," under Rule 301, PwC believes that the proposed revisions create additional compliance parameters, yet PEEC has provided no evidence of concerns raised by clients or issues or breaches that client companies have raised regarding either violations of the current guidance, or its being inadequate as currently written. PwC, therefore, recommends that the PEEC obtain feedback from companies and other interested constituents that will be directly impacted by the proposed changes.
Lisa A. Snyder
Director, Professional Ethics
AICPA Professional Ethics Executive Committee
1211 Avenue of the Americas
New York, NY 10036-8775
June 3, 2011
Re: AICPA Professional Ethics Division Omnibus Proposal, Interpretations and Rulings−February 28, 2011
Dear Ms. Snyder:
PricewaterhouseCoopers LLP ("PwC") appreciates the opportunity to provide comments
on the AICPA Professional Ethics Executive Committee's ("PEEC") February 28, 2011 Omnibus Proposal. In this letter, we provide our general observations, as well as specific suggestions and comments, with respect to the various components of the exposure draft.
I.Proposed Interpretation 101-18, Application of the Independence Rules to Affiliates
Proposed Interpretation 101-18, Application of the Independence Rules to Affiliates, would establish criteria to be used in determining which entities related to a financial statement attest client (as defined) would be considered affiliates. We are generally in agreement with the need for a definition of "affiliate" in the Code and with the principles proposed in this interpretation; we do, however, have the following observations that we believe would improve the proposal.
The proposal defines the term "affiliate" using a two-tier approach: 1) general criteria based on relationship attributes of control, significant influence, and materiality (items a. through e.) and 2) certain relationships that are specifically defined to be affiliate relationships (items f. through j.) involving trusts, employee benefit plans (EBPs), and unregistered investment companies (Funds).
We support an approach under which the accountant would determine whether an entity is an affiliate by applying professional judgment using appropriate criteria based on the relevant facts and circumstances. We believe that the general criteria set forth in items a. through e. of the proposal appropriately capture the overarching principles necessary to facilitate the application of professional judgment in order to determine whether an affiliate relationship exists between a financial statement attest client and another entity.
We do not agree with the approach in the proposal whereby specific entities are asserted to be affiliates−items f. through j.−without regard to the general criteria. This not only eliminates the exercise of judgment by the accountant, it rules out any possibility that judgment could be applied using the general criteria to reach an appropriate conclusion. For example, the proposal defines all trustees as affiliates of trust financial statement attest clients. According to the explanatory narrative accompanying the proposal (page 13 of the exposure draft), this position is based on the presumption that all trustees have "significant involvement with and power over the trust.". However, whether a trustee has such involvement and power can vary based on the nature of the arrangement as outlined in the trust agreement. If the agreement places the trustee in a fiduciary role with substantial authority, then it might reasonably be expected that the trustee has "significant involvement with and power over" the trust. In contrast, this presumption is unlikely to hold true where the trustee merely serves the trust in an administrative capacity or where the grantor retains significant control. Thus, judgment would be required to reach an appropriate conclusion about whether an affiliate relationship exists.
Similarly, the potential exists for variations in EBP and Fund arrangements, depending on the relevant facts and circumstances, such that considering them to be part of an affiliate relationship may not be appropriate in all circumstances. Accordingly, we recommend that the PEEC remove items f. through j. from the interpretation and allow accountants to evaluate such relationships using the general criteria. This more principles-based approach would allow for greater flexibility in evaluating the specific facts and circumstances of relationships that a "nontraditional entity" financial statement attest client may have with other entities (or vice versa), and thereby help to avoid the potential for inappropriate affiliate designations.
We would not object to the PEEC presenting items f. through j. outside of the authoritative literature as illustrative guidance−perhaps in the form of FAQs−noting how the principles set forth in items a. through e. might be applied to determine affiliate status in a given fact pattern. However, in doing so, the PEEC should include a caveat that an affiliate relationship may not exist in all such circumstances and that the substance of the relationship under consideration should serve as the key determinant of whether an affiliate relationship exists.
The "Other Considerations" section of the proposal requires that when a member becomes aware of an entity not identified in the affiliate definition that can
First, if the financial statement attest client can control the entity, it would be an affiliate under general criteria (a) in the proposed definition. Accordingly, because that relationship is identified in the definition, it does not belong in this proposed provision.
Second, despite being described as an additional consideration, this requirement would essentially operate as an additional affiliate rule, since the requirement is to evaluate interests and relationships the member has with the entity, rather than to evaluate whether the entity should be considered an affiliate. Further, compliance with this requirement would necessitate 1) the identification of all interests in, and relationships with, non-affiliates; 2) gathering and analyzing all relevant facts and circumstances relating to the interests and relationships identified; and 3) an assessment of the threats to independence that may exist. Given that such entities are not affiliates of the financial statement attest client based on the application of principles already set forth in the exposure draft, it is unclear why the PEEC is proposing to establish this very broadly drawn requirement. We propose that the PEEC delete this requirement in the final interpretation, as the application of professional judgment using the general criteria is an adequate means of addressing such situations.
The explanatory narrative accompanying the proposal (page 10 of the exposure draft) implies that the provisions of Interpretation 101-18 would not apply with respect to an entity that engages a member to perform a financial statement audit of another entity. Instead, a threats and safeguards analysis should be undertaken with respect to the engaging entity. This guidance, which addresses the AICPA Code's ("Code") definition of "client" (ET section 92.03), is of sufficient importance to warrant explicit discussion in the interpretation itself, rather than being relegated solely to the explanatory narrative. Further, consideration should be given to adding a footnote reference to Interpretation 101-11, noting that under its provisions, as revised, independence from the engaging entity is not required when the engaging entity is not also the responsible party. This would obviate the need for a threats and safeguards analysis to be undertaken with respect to that entity as required by Interpretation 101-18. Alternatively, this can be accomplished by making the point directly in Interpretation 101-11.
The proposal provides that when a member performs a service requiring independence other than a financial statement audit, review, or certain compilations, the member should evaluate any relationships or interests with that client’s affiliates using the Conceptual Framework for AICPA Independence Standards. This requirement has the potential to cause confusion given that the proposed revisions to Interpretation 101-11 appear to suggest that the practitioner need only be independent of the responsible party for engagements performed under the Statement on Standards for Attestation Engagements (SSAEs). We recommend that clarifying language be included in the final interpretation. Additional comments relating to Interpretation 101-11 are presented below.
It is unclear whether the PEEC intended the proposed interpretation to apply to engagements for financial statement attest clients that are governmental entities. We presume that Interpretation 101-18 would not apply, given that the PEEC has chosen not to delete Interpretation 101-10, The Effect on Independence of Relationships with Entities Included in Governmental Financial Statements, which currently addresses affiliate relationships in a governmental setting. However, this point warrants clarification by way of explicit guidance in the interpretation.
II.Proposed Revisions to Interpretation 101-3, Performance of Nonattest Services
Proposed revisions to Interpretation 101-3, Performance of Nonattest Services, include the incorporation of certain guidance from the AICPA's non-authoritative answers to Frequently Asked Questions document on the performance of nonattest services. The proposed revisions also clarify the prohibition in the General Activities section of Interpretation 101-3 on establishing or maintaining internal controls, including performing ongoing monitoring activities for an attest client. In addition, clarification is provided on the standard with regard to bookkeeping services, as well as what would be considered a "management responsibility," and a new requirement is being proposed whereby members would have to evaluate the significance of any threats to independence created by performing separate evaluations of the effectiveness of an attest client's internal control system. We are generally in agreement with the revisions proposed; we do, however, have the following observations that we believe would improve the proposal.
As discussed in COSO's Internal Control - Integrated Framework, Chapter 6 -Monitoring, a clear distinction is drawn between ongoing monitoring activities and separate evaluations of internal control systems. The former is characterized by COSO as "...performed on a real-time basis...and are ingrained in the entity.". In contrast, separate evaluations are described as taking place "after the fact," not "in the course of operations.". The interpretation's existing provision appears to more accurately reflect this distinction (and the impact on auditor independence) than the proposed revisions, providing that −
As proposed, the revisions to Interpretation 101-3 blur the distinction between ongoing monitoring activities and separate evaluations by requiring members to assess whether a separate evaluation is in fact equivalent to an ongoing monitoring activity. Rather than adopting this approach that explicitly requires the evaluation of management participation threats in these circumstances, we believe the existing interpretation more accurately captures the concepts embodied by the COSO Framework. The existing provision is sufficient given that the general requirements of Interpretation 101-3 impose an outright prohibition on undertaking a management responsibility, as would be the case if a member performed an activity equivalent to an ongoing monitoring function.
III.Proposed Revisions to Interpretation 101-11, Modified application of rule 101 for certain engagements to issue restricted-use reports under the Statements on Standards for Attestation Engagements
The proposed revisions to Interpretation 101-11 would extend certain existing limited independence requirements, which currently apply only to agreed-upon procedures engagements, to all other engagements performed under the SSAEs. Specifically, independence would be required with respect to the responsible party, and non-audit services would only be prohibited where they relate specifically to the subject matter of the SSAE engagement. We are generally in agreement with the revisions proposed; we do, however, have the following observations that we believe would improve the proposal.
Pursuant to the proposed revisions to Interpretation 101-11, when an engagement is performed under the SSAEs (that is, for an attestation-only client), independence need only be maintained with respect to the responsible party. The guidance in proposed Interpretation 101-18 (Other Considerations, second paragraph) could be interpreted as being in conflict with Interpretation 101-11. At a minimum, it could create confusion as to its proper application in Interpretation 101-11 scenarios.
If the intent of the PEEC is to require independence only of the responsible party that is an SSAE-only client, mandating a threats and safeguards analysis with respect to "affiliates" of the responsible party would appear to be unnecessary.
If, however, the PEEC's intent is to require independence of the responsible party's affiliates, then the PEEC should consider aligning its approach with that set forth in the International Ethics Standards Board for Accountant's (IESBA) Code Section 291.3. That provision requires that "…when the assurance team knows or has reasonto believe [emphasis added] that a relationship or circumstance involving a related entity of the [non-audit] assurance client is relevant to the evaluation of the firm’s independence from the client, the assurance team shall include that related entity when identifying and evaluating threats to independence and applying appropriate safeguards.". Adopting the IESBA's approach would also further the AICPA's stated goals regarding convergence in a manner consistent with the overarching principles of the Conceptual Framework.
In a related issue, the PEEC should consider the potential that the reader of a report issued under the SSAEs, if not well-versed in the AICPA independence standards, may incorrectly assume that the member is independent of the engaging party if different than the responsible party (i.e., the report is labelled as the "independent auditor's report," and oftentimes will begin by stating that the member was engaged by XYZ company…). The PEEC should consider the potential for confusion, and if significant, discuss possible remedies (such as modifying the report) with the Auditing Standards Board.
The proposed revisions to Interpretation 101-11 state (in part) that "Nonattest services that are otherwise prohibited by Interpretation 101-3…may be provided to the responsible party(ies) when such services do not relate to the specific subject matter of the SSAE engagement, provided the general requirements of Interpretation 101-3 are met." (emphasis added). The prohibitions in Interpretation 101-3 are derived primarily from applying the general requirement that the member not assume management responsibilities. Therefore, to allow prohibited services under Interpretation 101-3 to be provided (as long as they do not relate to the subject matter of the SSAE engagement), but only on the condition that the general requirements of Interpretation 101-3 are met, appears to contradict, or at least have the potential to cause confusion over, the nonattest service exception that the PEEC is providing under these revisions. Therefore, we recommend clarifying this final clause by specifying that the general requirements must be met with regard to the subject matter of the SSAE engagement. The PEEC should consider adopting language similar to that provided in the IESBA Code at Section 291.146:
IV.Rule 301, Confidential Client Information, and associated ethics ruling (revised)
With respect to the proposed definition of "confidential client information" in ET Section 92, as well as the proposed revisions to Ethics Ruling No. 2, "Distribution of Client Information to Trade Associations," under Rule 301, Confidential Client Information, it is unclear why the PEEC believes the current rule is in need of modification. The proposed revisions create additional compliance parameters, yet PEEC has provided no evidence of concerns raised by clients or issues or breaches that client companies have raised regarding either violations of the current guidance, or its being inadequate as currently written.
Given the foregoing, we recommend that the PEEC obtain feedback from companies and other interested constituents that will be directly impacted by the proposed changes. It would be beneficial for the PEEC to have the insights of the corporate community before revising its rule. We suggest that targeted outreach to companies of various sizes be undertaken. One potential method of outreach is for the PEEC to conduct interviews in the form of individualized calls with a select group of such companies. Another potential method of outreach is for the PEEC to engage in conversations with specialty and industry groups, perhaps having the PEEC task force engage in panel discussions at meetings of such groups (e.g., the Financial Executives Institute (FEI), the AICPA banking and insurance conferences).
To the extent there are no issues of breaches of the current rule and clients do not have concerns over its current construct, we recommend that the PEEC reconsider whether any revisions to the current rule are necessary. However, should the PEEC choose to proceed with these proposals, the following areas of concern are submitted for the PEEC's consideration.
As discussed above, if there are no current issues of breaches or client concerns with the current rule, introducing a new definition of “confidential client information” is not necessary. Further, adopting a new definition may cause confusion in light of differences with state board rules. A new definition that differs from a state board rule, either because the state board rule contains a different definition of the term than the one proposed, or because the state board has adopted and retains the current AICPA rule, might cause inconsistency in application with respect to the treatment of client information. Therefore, the PEEC should determine the potential impact this proposal may have on state board rules1, and in particular, note the potential conflict resulting from the proposed new definition of "confidential client information" in relation to other definitions or interpretations of the term used by the various state boards. To avoid such confusion, it is recommended that the proposed changes be limited to the ethics ruling, and to remove the proposal for a new definition of "confidential client information" in order to minimize instances where there would be conflicts with guidance in the state board rules.
Should the PEEC decide to adopt a new definition, however, it is recommended that the use of the term "known" in the definition be reconsidered. The PEEC's proposal provides that "[c]onfidential client information is any information obtained from the client that is not known to be in the public domain or available to the public..." (emphasis added). The use of the term "known" unduly complicates a fairly straightforward definition and raises several issues in need of clarification. For example, the standard of care required of the practitioner in assessing whether information is "known" to be in the public domain is unclear. The perspective from which "knowledge" should be measured−the client, the member, the public, or a reasonable third party−is not provided in the definition. Further, the consequences of violating Rule 301 by disclosing client information that is in the public domain but is not known by the member to be in the public domain are not identified in the guidance (e.g., Rule 301 violation, due care violation under ET Section 56).
To address these concerns, we recommend that the PEEC remove the term "known" from the definition. Removing the term will create a more straightforward definition, namely, that confidential client information is information obtained from the client that is not in the public domain or available to the public. In the event that the PEEC were to determine that the term should remain in the definition, further guidance to address the concerns noted in the preceding paragraph should be provided.
The rationale for differing actions required with respect to the types of information described in the second and third columns of the non-authoritative table that supplements the proposed revision to Ethics Ruling No. 2 is unclear. That is, it is not clear why client information that is included as part of member information (column three) does not require consent (if deidentified), presumably even if the information is not in the public domain, but client information that is not in the public domain (column two) that is not part of member information requires consent. It would appear that as proposed, the trigger for the consent requirement is whether the information is in the member's possession, not whether the information is confidential.
In addition, it is not evident why, if client information that is not in the public domain is deidentified, consent is still required (column two). If client information is deidentified, it would no longer be linked to the client and therefore, consent would not be necessary. As a result, from a business and practicality perspective, the requirement to obtain client consent, in addition to the deidentification, in our view is an unnecessary two-pronged requirement that does not further the underlying intent of the rule.
As an example to illustrate the lack of clarity between columns two and three of the table (i.e., information not in the public domain vs. client information as part of member information), as well as the business/practical implications of requiring actual client consent (and not only deidentification) for disclosing client information not in the public domain, consider the common practice of a member advising its client by discussing an aggregate of other client scenarios (while not identifying the other clients). First, it is unclear whether such information would be considered information in the member's possession or client information not in the public domain (and therefore unclear whether client consent or only deidentification is required). Second, if consent is required, it could potentially make the provision of value-added or generic advisory services difficult, if not impossible, to provide. Calling upon his/her breadth of experience and using an aggregate of other client scenarios as examples is typically an integral component of a member's advice. Importantly, clients routinely seek such advice and benefit from it. Requiring consent before providing advice based on aggregate information could conceivably curb the benefits that clients receive, since the steps required to obtain the consent may make the provision of the value-added or generic advisory services impractical or not timely.
In some scenarios it might be difficult to sufficiently deidentify information to guarantee that a third party will be unable to ascertain the identity of the client. For example, if a third party requests client information relating to an industry that is limited in size such that information can be traced back to one or two clients fairly easily, deidentification of the client might not be a workable solution. In these cases, obtaining client consent might be the preferable approach to protect the client's interests.
To address the above concerns, it is recommended that either consent (with the deidentification decision left to client discretion)or deidentification (with no consent) be required when disclosing client information not in the public domain. The discretion as to whether consent should be obtained or deidentification performed should be left to the member based on the exercise of professional judgment in the facts and circumstances of the scenario. These examples illustrate the value of obtaining client feedback to determine clients' views in such a common scenario.
We would be pleased to discuss our comments and to answer any questions that you or the PEEC may have. Please contact Michael Deniszczuk (201-521-4239) regarding our submission.
1 See, e.g., New York ("Unprofessional conduct shall also include revealing of personally identifiable facts, data or information obtained in a professional capacity without the prior consent of the client . . ."); Alaska ("A licensee . . . may not reveal information communicated to the licensee by a client about a matter concerning which the client has employed the licensee in a professional capacity."); Maryland (" . . . a licensee may not voluntarily disclose information communicated by the client relating to and in connection with professional services rendered to the client by the licensee.").