June 15, 2018
Ms. Toni Lee-Andrews, Director
AICPA Professional Ethics Division
American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, NY 10036-8775
Proposed Revised Interpretation: Information System Services (formerly Information Systems Design, Implementation, or Integration)
Dear Ms. Lee-Andrews:
We appreciate the opportunity to comment on the exposure draft referenced above.
By way of background, Baker Tilly Virchow Krause, LLP is a large, nationally recognized accounting firm operating primarily in the Midwest and Northeast regions of the United States. We have approximately 300 partners and employ more than 2,700 persons. Our practice is diverse, offering accounting and auditing services as well as tax and consulting services across a broad spectrum of industries and geographies.
Our comments will be in the form of responses to the specific questions included in the exposure draft as well as other comments that we believe warrant consideration.
Specific Request for Comment 1
Do you believe the terminology used in the proposal is consistent with industry practice and will be readily understood by members who do and do not practice in this arena?
We believe the term “commercial off-the-shelf” (COTS) is overused, frequently misused and becoming less relevant; thus the concept should be retired and more precise terms should be utilized. For example, many traditional COTS systems are now moving to cloud deployments, which introduces different risks and configuration mechanisms that need to be considered and require more precise terminology in order to be differentiated from more traditional COTS systems.
Specific Request for Comment 2
The definition of a financial information system proposes in part to include a system that generates information that is significant to the financial statements or financial processes taken as a whole.
- The proposal currently does not include specific guidance on what is “significant,” leaving the determination to the professional judgment of the member. Do you believe this is appropriate? If you believe specific guidance should be included, please explain how you believe “significant” should be defined.
We believe that for the interpretation to be consistently applied the term “significant” should be defined. We recommend that the following definition from the last paragraph on page six of the exposure draft be utilized to define “significant” in the interpretation, “Information generated by the system is “significant” if it is probable that it will be material to the financial statements of the attest client.”
- By including the concept of “significant” in the definition of a financial information system, it could be perceived that PEEC has proposed a less restrictive standard than the current interpretation, which would allow the member to design or develop a component of the financial information system that is not significant to the financial statements or financial process as a whole. Do you believe this exception is appropriate? Why or why not?
Yes, this exception is appropriate. Under the current interpretation, in some circumstances, members are not able to undertake projects for clients that would be extremely unlikely to pose any threat to independence; thus we believe that allowing for more judgement is appropriate.
- Do you think the phrase “financial process” makes it clear that members should be thinking broadly about processes that may affect a financial process such as information technology general controls?
No, especially considering that the auditing literature makes a clear distinction between processes and controls. We believe that if the exposure draft’s definition of a financial information system were modified to state that the items included in i. through iv. of paragraph .02a would typically meet the definition of, or be a part of, a financial information system (i.e., as opposed to how the lead in to i. through iv. is currently worded), the connection between internal controls over financial reporting, including information technology general controls, and their inclusion in the definition of financial information systems would be much clearer.
Specific Request for Comment 3
One of the factors proposed that may assist members in determining whether a nonattest service is related to a financial system is whether the system gathers data that assists management in making decisions that directly affect financial reporting. Do you believe this would include management-level dashboard reporting? Why or why not?
Yes, based on bullet point iii. of paragraph .02a included in the definition of a financial information system (i.e., a system that gathers data that assists management in making decisions that directly affect financial reporting), we believe that management-level dashboard reporting would be included within the definition of a financial information system. As indicated in Specific Request for Comment 2c. above, we believe that the definition of a financial information system could be further clarified by stating that the items included in i. through iv. of paragraph .02a would typically meet the definition of, or be a part of, a financial information system (i.e., as opposed to how the lead in to i. through iv. is currently worded).
Specific Request for Comment 4
If adopted as proposed, do you believe the extended period of time would be needed to implement the guidance? Why or why not?
If adopted as proposed, we do not believe that an extended period of time would be needed to implement the guidance, as this guidance is generally less restrictive than current guidance, therefore, it would be unlikely that a previously permitted service would now be considered prohibited.
In paragraph .20 of the exposure draft, there appears to be a concept introduced that nonrecurring “maintenance, support and monitoring services” would not impair independence. We believe that whether a service impairs independence should be based upon the nature of the service and not whether it is recurring or nonrecurring. For example, if a member were to assume a management responsibility, even on a nonrecurring basis, we believe that independence would be impaired. We believe that the examples provided in paragraphs .19 and .20 of the exposure draft illustrate our point. The difference in the examples is not whether the services are recurring or nonrecurring, it is whether or not management responsibilities are being assumed. In the examples in paragraph .19, management responsibilities are assumed (this is emphasized by the use of the terms “operates,” “supervises,” “has responsibility for,” and “manages”), while in the examples in paragraph .20, management responsibilities are not being assumed (this is emphasized by the use of the terms “analyze,” “provide,” “apply,” and “assess”).
We appreciate the opportunity to provide the above comments and are available for further discussion if that would be useful to the process. Should you wish to discuss any of these comments, please contact David Johnson, Professional Practice Group Partner, at 608 240 2422.
BAKER TILLY VIRCHOW KRAUSE, LLP
For more information on this topic, or to learn how Baker Tilly assurance specialists can help, contact our team.