ICAS responds to IESBA’s Exposure Draft on proposed technology-related changes to its Code of Ethics (including International Independence Standards)
Ann Buttery, Head of Ethics, ICAS Policy Leadership, provides a summary of the ICAS response to IESBA’s proposed technology related changes to its Code of Ethics (including International Independence Standards).
The ICAS Code of Ethics is substantively based on the International Ethics Standards Board for Accountants (IESBA) Code of Ethics. In February 2022, the IESBA issued an Exposure Draft of proposed technology-related revisions to its Code of Ethics (including International Independence Standards). A summary of the proposals is provided here.
Overall, ICAS is generally supportive of IESBA’s proposals outlined in its Exposure Draft, and believes that the new provisions will be beneficial to users of the Code, however suggests that certain areas may need further clarification.
A summary of ICAS’ main comments within its response are noted below:
Technology-related considerations when applying the Conceptual Framework
ICAS agrees with IESBA’s inclusion of new paragraphs 200.6 A2 and 300.6 A2 which serve to highlight within the Code that use of technology is a specific circumstance that might create threats to compliance with the fundamental principles. For example, paragraph 200.6 A2 states the following:
“200.6 A2 The use of technology is a specific circumstance that might create threats to compliance with the fundamental principles. Considerations that are relevant when identifying such threats when a professional accountant relies upon the output from technology include:
- Whether information about how the technology functions is available to the accountant.
- Whether the technology is appropriate for the purpose for which it is to be used.
- Whether the accountant has the professional competence to understand, use and explain the output from the technology.
- Whether the technology incorporates expertise or judgments of the accountant or the employing organization.
- Whether the technology was designed or developed by the accountant or employing organization and therefore might create a self-interest or self-review threat.”
ICAS also agrees with IESBA (paragraph 18 of the Explanatory Memorandum) that placing this guidance in Sections 200 and 300, rather than within Section 120 (The Conceptual Framework), will make the considerations more visible to Professional Accountants in Business (PAIBs) (Section 200) and Professional Accountants in Public Practice (PAPPs) (Section 300) and will therefore better assist them in identifying threats that might arise from reliance on the output from technology.
IESBA has inserted 120.14 A3 (b) to expand upon what behaviours are expected of professional accountants with respect to organisational culture:
“120.14 A3 Professional accountants are expected to:
(a) encourage and promote an ethics-based culture in their organization, taking into account their position and seniority; and
(b) Demonstrate ethical behaviour in dealings with business organizations and individuals with which the accountant, the firm or the employing organization has a professional or business relationship.”
ICAS welcomes this addition however notes that the promotion of an ethics-based culture by professional accountants is also discussed at paragraph 200.5 A3 and suggests that similar wording to 120.14 A3 (b) above could also be added to this paragraph in Section 200 (see in italics below) thereby making it more visible to Professional Accountants in Business.
“200.5 A3 The more senior the position of a professional accountant, the greater will be the ability and opportunity to access information, and to influence policies, decisions made and actions taken by others involved with the employing organisation. To the extent that they are able to do so, taking into account their position and seniority in the organisation, accountants are expected to encourage and promote an ethics-based culture in the organisation, in accordance with paragraph 120.14 A3, and demonstrate ethical behaviour in dealings with business organizations and individuals with which the accountant or the employing organization has a professional or business relationship.
Examples of actions that might be taken include the introduction, implementation and oversight of:
- Ethics education and training programs.
- Management processes and performance evaluation and reward criteria that promote an ethical culture.
- Ethics and whistle-blowing policies.
- Policies and procedures designed to prevent non-compliance with laws and regulations.”
ICAS also noted that, having specifically included content in Section 200 for Professional Accountants in Business in relation to organisational culture, it does also raise the question if similar provisions should be included in Section 300 for Professional Accountants in Public Practice.
Determining Whether the Reliance on, or Use of, the Output of Technology is Reasonable or Appropriate for the Intended Purpose
(i) Proposed factors to be considered in relation to determining whether to rely on, or use, the output of technology
ICAS notes that professional accountants (PAs) are being asked to consider the appropriateness of the output from technology in paragraphs 220.7 A2 and 320.10 A2. For example, paragraph 220.7 A2 states the following:
“220.7 A2 Factors to consider in determining whether reliance on the output of technology is reasonable include:
- The nature of the activity to be performed by the technology.
- The expected use of, or extent of reliance on, the output from the technology.
- The professional accountant’s ability to understand the output from the technology for the context in which it is to be used.
- Whether the technology is established and effective for the purpose intended.
- Whether new technology has been appropriately tested and evaluated for the purpose intended.
- The reputation of the developer of the technology if acquired from or developed by an external vendor.
- The employing organization’s oversight of the design, development, implementation, operation, maintenance, monitoring or updating of the technology.
- The appropriateness of the inputs to the technology, including data and any related decisions.”
ICAS believes that some may be concerned with the extent of these obligations in terms of competence, however, ICAS also appreciates that professional accountants cannot just blindly rely on the output from technology and there is a need for them to give some consideration as to the reasonableness of the output of the technology just as they would if they were considering the work of an expert.
Paragraph 36 (a) of the Explanatory Memorandum states: “Although PAs do not need to be experts in technology, the IESBA anticipates that they will have a reasonable degree of awareness and understanding of certain matters with a view to deciding whether reliance on the output of technology is reasonable.” As such, ICAS suggests this wording ought to be included, or expanded upon, in the Code to clarify to professional accountants IESBA’s expectations of them.
(ii) Appropriateness of the inputs to the technology
The last bullets of paragraphs 220.7 A2 and 320.10 A2 state: “The appropriateness of the inputs to the technology, including data and any related decisions.” To enhance clarity for users as to IESBA’s intentions, ICAS suggests this bullet could be expanded to include what is noted in the Explanatory Memorandum paragraph 19 i.e. “The IESBA noted that inputs to technology are not only data, but also other information such as decisions made by individuals relating to the operation of the technology.” For example, the wording could be amended as follows (see italics): “The appropriateness of the inputs to the technology, including data and any related decisions, such as decisions made by individuals relating to the operation of the technology.”
Consideration of “Complex Circumstances” When Applying the Conceptual Framework
IESBA has proposed additional provisions in the Code in relation to ‘complex circumstances’ to highlight why such circumstances are a consideration in applying the conceptual framework. The discussion includes a description of the facts and circumstances involved when complex circumstances arise and provides guidance to assist professional accountants manage such circumstances or mitigate their impact (proposed paragraphs 120.13 A1 to A3).
The paper ‘Complexity and the professional accountant: Practical guidance for ethical decision-making’ (published jointly by ICAS, the Chartered Professional Accountants of Canada (CPA Canada), the International Ethics Standards Board for Accountants (IESBA) and the International Federation of Accountants (IFAC) in June 2021) provides a detailed explanation of the distinction between ‘complicated’ versus ‘complex’ problems and the different tools and approaches that are needed in order to approach such situations.
IESBA has therefore deliberately used the term ‘complex’ in these proposed provisions, the intention being to highlight the particular considerations that give rise to ‘complex’ circumstances and to emphasise to users that the approach to dealing with a ‘complex’ versus a ‘complicated’ issue is different. However, whilst ICAS is supportive of content being included in the Code on ‘complexity’, we believe additional clarity is required to better communicate to users IESBA’s intentions in this regard. We are not convinced that professional accountants reading IESBA’s proposed paragraphs “cold”, i.e. without knowledge of the background paper noted above or IESBA’s technology project, will understand that there is nuance in the terminology, and that there is significance in IESBA’s use of the term ‘complex’ as opposed to ‘complicated’, which are terms which can be used interchangeably in practice in the English language.
In order to try to help users to understand the significance of the paragraphs, ICAS has suggested that IESBA might wish to consider providing examples (in italics below) so that users can get a better understanding of the situations IESBA envisioned these paragraphs would address:
The circumstances in which professional accountants carry out professional activities vary considerably. Some professional activities might involve complex circumstances that increase the challenges when identifying, evaluating and addressing threats to compliance with the fundamental principles.
120.13 A2 Complex circumstances arise where the relevant facts and circumstances involve:
(a) Elements that are uncertain; and
(b) Multiple variables and assumptions,
which are interconnected or interdependent. Such facts and circumstances might also be rapidly changing.
For example, complex circumstances could be brought on by, amongst other factors, the impact of new technologies, or rapidly changes laws and regulations with differing public interest angles. Tax planning for a multinational corporation or successfully merging the cultures of two organizations is complex.”
Confidentiality and Confidential Information
ICAS supports IESBA’s proposed revisions to paragraphs 114.1 A1 and 114.1 A3 and the proposed Glossary definition of “confidential information”.
New paragraph 114.1 A1 states: “Maintaining the confidentiality of information acquired in the course of professional and business relationships involves the professional accountant taking appropriate action to secure such information in the course of its collection, use, transfer, storage, dissemination and lawful destruction.”
However, ICAS also notes in paragraph 114.1 A1 a situation similar to proposed paragraph 220.7 A3 (see below) where a professional accountant’s position in the organisation may impact their ability to do all of this. They can only be held responsible for keeping information confidential within their own individual sphere of influence. For example, an audit senior in a firm would be held responsible for the client information that comes to them during their work, but they can’t be held responsible for the lawful destruction of that information (for example the routine destruction of emails) from the firm’s IT systems as that will be a policy beyond their sphere of influence. ICAS appreciates there may be exceptions where specific procedures are in place, but does question the generality of the proposed paragraph.
Paragraph 220.7 A3: “Another consideration is whether the professional accountant’s position within the employing organization impacts the accountant’s ability to obtain information in relation to the factors required to determine whether reliance on the work of others or on the output of technology is reasonable.”
Parts 4A and 4B – International Independence Standards (IIS)
(i) Proposed revisions in paragraphs 400.16 A1, 601.5 A2 and A3 relating to “routine or mechanical” services.
ICAS supports the proposed revisions in paragraphs 400.16 A1, 601.5 A2 and A3 relating to “routine or mechanical” services where IESBA acknowledges that accounting and bookkeeping services can either be manual or automated and provides new application material to prompt firms’ consideration of how the technology functions and whether the technology is based on expertise or judgements of the firm or a network firm when determining whether an automated accounting or bookkeeping service is “routine or mechanical”.
ICAS notes that paragraphs 45 and 46 of the Explanatory Memorandum state: “Proposed paragraph 601.5 A2 further reminds users of the Code that automated NAS are not necessarily routine or mechanical” and “In finalizing the technology-related proposals, the IESBA incorporated stakeholder feedback arising from the NAS project which noted that automated services that appear to be “routine or mechanical” could, in substance, result in an assumption of a management responsibility.”
As such, ICAS suggests spelling this threat out further in the Code by adding an additional sentence to paragraph 601.5 A2 (see in italics below):
601.5 A2 Accounting and bookkeeping services can either be manual or automated. In determining whether an automated service is routine or mechanical, factors to be considered include how the technology functions and whether the technology is based on expertise or judgments of the firm or a network firm. Automated services that appear to be “routine or mechanical” could, in substance, result in an assumption of a management responsibility.
(ii) Prohibition on services in relation to hosting (directly or indirectly) of an audit client’s data, and the operation of an audit client’s network security, business continuity and disaster recovery function
ICAS supports the proposed prohibition on services in relation to hosting (directly or indirectly) of an audit client’s data, and the operation of an audit client’s network security, business continuity and disaster recovery function because they result in the assumption of a management responsibility.
ICAS noted that if a reasonable and informed third party were aware that a firm had such an arrangement with their audit client, they could reasonably conclude that this might threaten the firm’s independence. Further, if there was to be a hack and the firm was hosting the client’s system this could lead to reputational damage for the firm.
ICAS however believes that there is a need to clarify exactly what client systems are meant to be covered by paragraphs 606.3 A1 and 606.3 A2, in order that the user will be able to understand what is expected of them, and suggests the following amendments to the Code to clarify IESBA’s intentions (see in italics):
“606.3 A1 In accordance with paragraph R400.15, examples of IT systems services that result in the assumption of a management responsibility include where a firm or a network firm:
- Provides services in relation to the hosting (either directly by the firm or network firm or indirectly by a third party) of an audit client’s primary/active data systems.
- Operates an audit client’s network security, business continuity or disaster recovery function.
606.3 A2 The collection, receipt and retention of data provided by an audit client to enable the provision of a permissible service to that client, such as data provided by the client to the firm for the purposes of the audit, does not result in an assumption of management responsibility as the client still maintains control over this data.”
(iii) Withdrawal of the presumption that providing certain IT system services does not usually create a threat as long as individuals within the firm or network firm do not assume a management responsibility.
Extant subparagraph 606.4 A2(c) states that “Providing the following IT systems services to an audit client does not usually create a threat as long as individuals within the firm or network firm do not assume a management responsibility: … Implementing “off-the-shelf” accounting or financial information reporting software that was not developed by the firm or network firm, if the customization required to meet the client’s needs is not significant.”
ICAS agrees with the withdrawal of this presumption, and the addition of “Implementing accounting or financial information reporting software, whether or not it was developed by the firm or a network firm” as an example of an IT systems service that might create a self-review threat in proposed paragraph 606.4 A3.
ICAS ethics resources
ICAS is committed to providing ethics resources and support to its Members. Since 2015, ICAS has published a series of publications, guidance and resources as part of The Power of One initiative which are all available on icas.com.
In November 2020, to mark the fifth anniversary of The Power of One, ICAS issued second editions of its series of publications on ethical leadership:
- Ethics -The Power of One
- The Power of One – Personal responsibility and ethical leadership
- The Power of One – Moral Courage
- The Power of One – Personal Reputation
- The Power of One – Organisational culture and values
- The Power of One – The CA and the organisation
- The Ethical Journey – The Right, the Good and the Virtuous
- Organisational culture: The importance of listening
ICAS also offers the following:
- guidance on conflict of interest;
- an ethical decision making framework;
- ethics videos;
- case studies; and
- From 1 January 2021, compulsory ethics CPD was introduced for all ICAS Members. This does not involve compulsory attendance at courses or the purchase of material – it could simply mean some reading of ethics-related material available online. In addition to ICAS’ own ethics resources as noted above, other websites provide useful sources of information as explained here.
- If you have an ethical query, ICAS provides an ethics helpline service. In addition, ICAS offers an Ethics Buddy Service which enables a CA with an ethical dilemma, where deemed appropriate, to have confidential, informal, discussions with an experienced ICAS Member in order to explore their issue and assist them in considering how they might approach their dilemma.
- ICAS is also partnered with whistleblowing charity Protect to provide Members and Students with access to an independent, confidential helpline. This service offers free advice regarding whistleblowing and speaking up.