Independence Matters

By Douglas R. Carmichael for CPAJournal.com

Auditor Independence is integral to the financial reporting system and trust in the capital markets. But recent cases against large audit firms underscore the challenges firms face in ensuring independence and the seriousness with which the SEC enforces its regulations. In the author’s opinion, too many auditors misinterpret the SEC’s independence rules, which results in a checklist mentality to compliance that misses the true spirit of the SEC’s independence requirements.

***

The recent SEC proceedings against Ernst & Young and three of its partners provide a vivid reminder of some of the pitfalls that may result in serious independence violations by unwary auditors. Ernst & Young (EY) and its partners solicited and obtained from the audit client’s chief accounting officer (CAO) other firms’ bid proposals and other confidential information and contravened the audit committee’s intent to conduct a fair and competitive search process [Accounting and Auditing Enforcement Release (AAER) 4239 (August 2, 2021)]. “EY and EY Partners,” the SEC noted, “should have known that the manner in which EY obtained the engagement would cause a reasonable investor to conclude that EY was not capable of exercising objectivity and impartiality upon becoming Issuer’s independent auditor and that such conduct therefore would result in a violation of the Commission’s and the [PCAOB] auditor independence rules.” The issuer was not named in the release, but press reports identified it as Sealed Air.

The rule violated was the SEC’s general standard that recognizes an auditor must be independent in fact and appearance. Auditors might fail to meet this standard and impair independence even if their conduct is not specifically prohibited by the SEC’s related rule that enumerates such matters. Rule 2-01(b) is the general standard, and Rule 2-01(c) provides a nonexclusive list of specific relationships that render an auditor and the auditor’s firm as not independent. Failing to understand and properly apply the general standard is a major pitfall that auditors must avoid when auditing the financial statements of a public company.

In this author’s opinion, too many auditors view the SEC’s independence rules as a two-step determination: first, evaluating independence in fact based on their own assessment of their ability to act with integrity and objectivity and, second, evaluating appearance. The second step is treated as a compliance-oriented determination of adherence to a collection of rules designed to foster public confidence, separated from the basic requirement to act with integrity and objectivity. This view has led to a checklist mentality that misses the true meaning of the SEC’s general standard on independence. This article suggests ways to avoid this major pitfall, as well as other pitfalls in applying the general standard. It also provides a reminder that SEC independence requirements may apply in certain circumstances even when the audit client is a nonissuer.

Sealed Air’s Chief Accounting Officer (CAO) had worked with one of the three EY partners at another company. The CAO was heavily involved in the Sealed Air audit committee’s process of selecting an independent auditor, and engaged in conduct designed to favor EY. EY and three other firms, including the incumbent auditor, were invited to submit bids for the audit work. The audit committee structured the Request for Proposal (RFP) process to be competitive and fair, providing each firm with “an equal opportunity to provide their best proposals.”

Without the knowledge or approval of the audit committee, the CAO provided EY with confidential information on the other firms as well as the audit committee and significant other aid. The CAO sent EY other firm’s proposals and submissions, as well as internal documents used in the audit committee’s deliberations. Because of their prior relationship (the CAO and one of the EY partners had “worked closely together”), and because the CAO viewed the EY partner “as a trusted advisor,” EY was allowed to assist in drafting portions of the RFP and permitted to meet with the CAO’s financial personnel at least one month before the other firms. Internally, EY referred to this as a “head start none of the other firms were given.”

The CAO reviewed the firms’ proposals for the audit committee and planned to present the pros and cons of the proposals to aid the audit committee’s selection. He asked EY for additional talking points, and received from EY a detailed list of additional “cons” against the incumbent firm.

EY used the competitive intelligence and confidential bid information provided by the CAO in preparing its initial proposal. The audit committee selected the incumbent firm and EY as finalists and specified a deadline for the submission of final bids. The CAO forwarded the incumbent firm’s final bid to EY and allowed EY to revise its bid and submit it five days after the deadline. EY’s bid was nearly identical to that of the incumbent firm, but slightly higher when expenses were included. The CAO removed the expenses from the information on EY’s bid that was sent to the audit committee to make EY’s bid appear to be lower. In the construction industry, this activity would be labeled “bid rigging.”

Subsequently, Sealed Air learned of some of the conduct of the CAO and EY during the RFP process. The audit committee performed an investigation and terminated both the CAO’s employment and EY’s audit engagement.

Other notable examples of violations of the SEC’s general standard include the following:

• A lead engagement partner developed and maintained a close personal relationship with the CFO of an audit client and the CFO’s family. This relationship included frequent social events, gifts, and overnight out-of-town trips that involved lavish spending. The activities violated the audit firm’s policies, which identified such extensive relationships as creating “independence issues from an appearance perspective.” The SEC sanctioned the partner for his independence violations, and the firm for failing to act on red flags regarding the partner’s relationship with the CFO (AAER 3802, September 19, 2016).

• An audit partner had a close personal and romantic relationship with the CAO of an audit client. The SEC sanctioned the audit partner and the CAO for the independence violation as well as the lead engagement partner and the audit firm for failing to act on red flags about the relationship (AAER 3803, September 19, 2016).

• An audit firm conducted microcap conferences for several years at which the firm touted a group of companies that included audit clients as high-quality investment opportunities. The PCAOB sanctioned the audit firm and the partner responsible for the firm’s compliance with independence requirements for the client-advocacy–related independence violations, as well as for violation of quality control standards (PCAOB Release 105-2019-022, September 10, 2019).

All of these independence violations involved a failure to comply with the SEC’s general standard rather than with specific prohibitions of individual rules.

The pages of The CPA Journal have not lacked coverage of independence violations and suggestions of their causes and cures. Howard Levy focused on the commonality he saw in two of the cases of the “familiarity threat” in “close personal relationships” and recommended that audit firms implement more robust policies and procedures that provide a working definition of them (“Has the SEC Awakened a Sleeping Giant?,” The CPA Journal, January 2017).

Ed Ketz postulated that: “Either practitioners have biases that they do not recognize, which requires institutional changes; or they are unaware of independence rules,” and he explored several potential solutions (“The Myth of Auditor Independence,” The CPA Journal, February 2020).

Vincent Love opined that independence violations usually occur “at the engagement partner level where the specter of unconscious bias, and arrogance, comes into play” and suggested that an improved “tone at the top” could provide a “a major control on unconscious bias and arrogance in the delivery of assurance services” (Vincent J. Love, “How Independence and Commercialism Can Coexist,” The CPA Journal, January/February 2022).

These authors have correctly identified key aspects of prominent violations of the SEC’s general standard, but I believe an important factor is missing from these analyses. As stated above, the pitfall is to totally divorce independence in fact from independence in appearance. This separation permits an auditor to regard independence in fact as a given—whether due to cognitive bias, arrogance, or both—and gloss over the need to step back and view the situation from the perspective of a reasonable person. The following discussion of the SEC’s general standard explains the basis for this conclusion.

For many years, auditors, as well as the SEC itself, have referred to the need for auditors “to be independent of their audit clients both in fact and appearance.” The pitfall here is to regard the determination of independence an auditor must make as involving two distinct judgments rather than linked matters of equal importance.

The central language of the SEC’s general standard is worth repeating and analyzing:

In addition to an evaluation of whether there is a violation of express prohibitions, an auditor must assess, with a high level of scrutiny, the objective criterion of whether the facts and circumstances render the auditor incapable of being objective and impartial or would cause a reasonable investor (or person) to conclude the auditor was incapable of doing so. SEC Release 34-43602 indicates the general standard is an objective one and that the “reasonable person standard” is embedded in the law generally; SEC Release 33-7593 indicates that circumstances that raise questions about an auditor’s independence always merit heightened scrutiny.

The fallacy here is to consider the objective test—whether a reasonable person would conclude the auditor is not capable of exercising objective and impartial judgment—as cosmetic. It is not a simple matter of appearance, a public relations stance designed to inspire confidence that does not bear on independence if the auditor’s lack of objectivity or impartiality has not been demonstrated. How else to explain the litany of violations in recent years?

In this author’s judgment, treating the SEC’s general standard on independence as a two-step, compliance-oriented determination is what has led to a check-the-box mentality in making the critical determination of independence. Audit firms use forms that list the specific prohibitions of the SEC’s Rule 2-01(c) or PCAOB or AICPA independence rules, but give short shrift to a meaningful analysis of how a reasonable person would assess the situation with knowledge of the facts and circumstances of all relationships among the auditor, the audit firm, and the audit client and its management. Avoiding this pitfall requires a commitment by individual auditors to avoid an implicit bias concerning their own objectivity, and a commitment by audit firms to develop policies and procedures on training, supervision, and monitoring that place greater emphasis on scrutinizing all relationships between the auditor and audit client from the perspective of a reasonable person as well as reinforce the affirmative obligation to obtain the necessary information for informed judgments and to maintain an impartial mental attitude when doing so.

An audit firm may have detailed quality control policies and procedures intended to provide reasonable assurance of maintaining independence. Nevertheless, policies and procedures—such as requiring each audit engagement team member to certify compliance with the firm’s and regulator’s independence rules—cannot replace an auditor’s internalized commitment and ability to view facts and circumstances through the eyes of a reasonable investor. The following are other specific pitfalls in maintaining independence that require more than literal compliance with specific prohibitions.

The SEC’s nonexclusive list of behavior that would render an auditor not independent includes prohibitions related to non-audit services [Rule 2-01(c)(4)]. Services related to management functions; human resources; broker-dealer, investment adviser, or investment banking services; legal services and expert services unrelated to the audit are categorically prohibited [Rule 2-01(c)(4)(vi-x)]. Other nonaudit services of bookkeeping; financial information systems design and implementation; appraisal valuation and similar services; actuarial services; and internal audit outsourcing services are conditionally prohibited [Rule 2-01(c)(4)(i-v)].

The condition that permits performing these services for an audit client is that “it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client’s financial statements” [Rule 2-01(c)(4)(i-v)]. The potential pitfall is overlooking that the SEC has made clear that “there is a rebuttable presumption that the prohibited services will be subject to audit procedures” [SEC Release 33-8183 and Office of the Chief Accountant, “Frequently Asked Questions, non-Audit Services,” E (Question 3)]. An auditor that performs a conditionally prohibited service has an affirmative obligation to obtain all the facts and circumstances related to providing the service, and substantiate and document why there was a reasonable expectation before providing the service that audit procedures would not be applied to the results of the service. An auditor also has to be aware that the general standard must be applied in all circumstances, including when providing otherwise permissible nonaudit services.

Extra scrutiny is essential if an audit firm is engaged to provide any type of bookkeeping or related service to an audit client, especially if services are provided to affiliates within the definition of an audit client. This nonaudit service prohibition is much more restrictive than the AICPA rules applicable to most nonissuer engagements. The prohibited services are specified as “bookkeeping or other services related to the accounting records or financial statements of the audit client” [Rule 2-01(c)(4)(i)]. The SEC’s prohibition is broad: the rule states the prohibition applies to “any service” unless the condition of it being reasonable to conclude that the results of the services will not be subject to audit procedures during the audit is met.

The rule provides a list of the types of services that are sufficient but not necessary to result in a violation. This list states that the prohibited services “include” the following: maintaining or preparing the audit client’s accounting records; preparing the audit client’s financial statements that are filed with the SEC, or that form the basis of financial statements filed with the SEC; or preparing or originating source data underlying the audit client’s financial statements [Rule 2-01(c) (4)(i)]. Note that the rule contains the word “including”—not “involving”—thus indicating that other services related to accounting records may be violations even if the three activities enumerated in the rule are not performed. The SEC staff has indicated, for example, that word processing or typing services, providing templates for financial statement preparation not publicly available, and similar clerical assistance are prohibited under this rule [SEC Release 33-8183 and Office of the Chief Accountant, “Frequently Asked Questions, non-Audit Services,” E (Questions 1, 8, and 9)].

Heightened scrutiny is particularly necessary when the audit firm also provides tax-related services and maintains any of the audit-client’s tax-related records. Depending on the circumstances, these records may become the basis for amounts or disclosures in audited financial statements that are subject to SEC independence requirements resulting in a violation of this prohibition.

The SEC independence requirements contain a rule sometimes referred to as the quality controls exception [Rule 2-01(d)]. This rule provides that an audit firm’s independence would not be impaired solely because a covered person in the firm is not independent of an audit client if specified conditions are met. For audit firms with 500 or fewer audit clients registered with the SEC, there are only three conditions, as follows:

• The covered person did not know of the circumstances giving rise to the lack of independence.

• The covered person’s lack of independence was corrected as promptly as possible under the relevant circumstances after the covered person or firm became aware of it.

• The firm has a quality control system in place that provides reasonable assurance that the firm and its employees do not lack independence and covers all employees and associated entities participating in the engagement, including those outside the United States. The quality control system’s ability to provide reasonable assurance takes into account the size and nature of the firm’s practice. For firms with over 500 audit clients registered with the SEC, there are additional conditions that the quality control system must meet.

The first hazard is wrongly equating “not knowing the circumstances” giving rise to the lack of independence with “not knowing of the existence of the rule” that prohibited the conduct. Ignorance of the applicable independence requirements is not excused by the quality controls, exception or otherwise. Not knowing the circumstances relates to matters such as a partner suddenly learning an immediate family member has purchased shares in an audit client, or a close relative being hired in an accounting role at an audit client. A competent auditor is presumed to have sufficient knowledge of applicable professional standards, including independence requirements.

Another hazard is to presume that because the firm has written independence policies and procedures, the quality control system provides the reasonable assurance required by the third condition. The initial violation of the independence rule when the covered person knew of the circumstances causing the violation is prima facie evidence the system did not provide reasonable assurance. It would thus be apparent that the firm did not have policies and procedures sufficient to avoid the conduct and behavior, and that training, supervision, and monitoring policies and procedures were lacking.

PCAOB Rule 3526, on communications with audit committees concerning independence, requires annual written communication of all relationships between the audit firm (including affiliates) and the audit client (or persons in financial reporting oversight roles at the client) that may reasonably be thought to bear on independence (emphasis added). Part a of the rule covers the initial communication of prior services and Part b relates to an annual communication thereafter. AAER 4239 indicates EY failed to comply with PCAOB Rule 3526 by not informing the audit committee of the conduct during the RFP process.