Yellow Book independence is a big deal. And if you prepare financial statements in a Yellow Book audit, you need to be aware of the independence rules. Below I tell you how to maintain your independence—and stay out of hot water,
Yellow Book Independence Impairment in Peer Review
Suppose that--during your peer review--it is determined your firm lacks independence in regard to a Yellow Book engagement.
What could happen? Well, I can't say for sure, but I think it would be nasty. At a minimum, you would probably receive a finding for further consideration--or worse, a negative peer review report. The engagement is definitely nonconforming (not conforming to professional standards).
Then, you'd need to provide a response--explaining what you intend to do about the lack of independence. And this could get very interesting. Not where you want to be.
Preparation of Financial Statements is a Significant Threat
If you prepare financial statements (a nonattest service) for your audit client, you have a significant threat. Why? You are auditing something (the financial statements) that you created. There is a self-review threat.
When there is a significant threat, you must use a safeguard (to lessen the threat). Such as? A second partner review. So, for example, you might have a second audit partner (someone not involved in the audit) review the financial statements. Since the second partner did not create the financial statement, the self-review threat is mitigated.
Notice the safeguard (the second partner review) is something the audit firm does--and not an action of the audit client. Therefore, it qualifies as a safeguard.
2018 Yellow Book
The 2018 Yellow Book states the following in paragraph 3.88:
Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level...or decline to provide the services. (CPAHallTalk bolded the preceding words in this section.)
But My Client has Sufficient SKE
You've heard your audit client must have sufficient skill, knowledge and experience (SKE) and that they must oversee and assume responsibility for nonattest services. This is true and is always required when nonattest services are provided to an audit client.
Even so, the client's SKE does not address the self-review threat.
Think of the SKE issue as a minimum requirement. Do not pass "go" if the client does not assign someone (with SKE) to oversee the nonattest service. You are not independent. End of discussion.
SKE is not a safeguard
The January AICPA Reviewer Alert distinguishes the SKE requirement from safeguards saying, "Client SKE should not be viewed as a safeguard, but rather a mandatory condition before performing any nonaudit services."
Once the client SKE issue is dealt with, consider if safeguards are necessary. If you are asked to prepare the financial statements, a second issue arises--the self-review threat. And this threat has to be addressed. A second review--whether a second partner review or an EQCR--is a good way to do so.
The AICPA (in its AICPA Yellow Book Pratice aid) provides examples of safeguards including:
- Obtaining secondary reviews of the nonaudit services by professional personnel who were not involved in planning or supervising the audit engagement.
- Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team.
See Appendix E of the AICPA Yellow Book Practice Aid for additional examples of safeguards and how to apply them.
Independence Documentation is Required
The Yellow Book requires that your independence be documented. If it is not, a violation of professional standards exists.
So, document the SKE of the client and the safeguards used to address significant threats. Also, document which nonattest services are signficiant threats.
Document Significant Threats
The January 2019 Reviewer Alert (an AICPA newsletter provided to peer reviewers) provides a scenario where an audit firm performs a Yellow Book audit and prepares financial statements. Then the firm has an engagement quality control review (EQCR) performed, but it does not identify the preparation of financial statements as a significant threat. The newsletter states "the engagement would ordinarily be deemed nonconforming for failure to document identification of a significant threat." So, even if a safeguard (e.g., a second partner review) is in use, the lack of documentation makes the engagement nonconforming.
Here's the lowdown to protect your firm:
- Document the nonattest services you are to perform
- Document the client person that will oversee and assume responsibility for the nonattest service
- Document the SKE of the designated person
- Consider whether any nonattest services are significant threats
- Document which, if any, nonattest services are significant threats
- Use (and document) a safeguard to address each significant threat (examples of safeguards include an EQCR or a second-partner review)
Looking for a tool to document Yellow Book independence? Consider the AICPA's practice aid. Here is the free PDF version. You can also purchase the fillable version here. (Cost is $39 for AICPA members.) This is the 2011 Yellow Book aid. I am thinking the AICPA will create a 2018 Yellow Book version as well.