IESBA revises Code of Ethics to respond to transformative effects of technology
IESBA revises its Code of Ethics to respond to technological innovation
At a time when there is much discussion about the use of artificial intelligence the International Ethics Standards Board for Accountants (IESBA) has issued revisions to the International Code of Ethics for Professional Accountants (including International Independence Standards) to respond to the impact of rapid technological advancements and accelerating digitalisation. The revisions refer to the generic term “technology” to help future proof their relevance.
However, considerable outreach was performed in the development of the proposals to ensure that the ethics and independence implications of technologies such as robotic process automation, and artificial intelligence for professional accountants were considered.
- strengthen the code in guiding the mindset and behaviour of professional accountant (PA)s when using any technology.
- provide enhanced guidance fit for the digital age in relation to the fundamental principles of confidentiality, and professional competence and due care, as well as in dealing with circumstances of complexity.
- address the circumstances in which firms and network firms may or may not provide a technology-related non-assurance service to an audit or assurance client.
The revisions to the international independence standards take effect for audits and reviews of financial statements for periods beginning on or after 15 December 2024. Those to the ethics provisions of the code take effect as of 15 December 2024. ICAS will be updating its Code of Ethics to reflect these and other changes to the IESBA code in due course. The Financial Reporting Council will also be considering the impact of the independence revisions on its Ethical Standard. References to the IESBA code below are to the version which will take effect on the above date. Some of the key changes are as follows.
The changes to the IESBA code include a definition of ‘confidential information’ which is ‘Any information, data or other material in whatever form or medium (including written, electronic, visual or oral) that is not publicly available.’ Furthermore, it is highlighted that maintaining the confidentiality of information acquired in the course of professional and business relationships involves the PA taking appropriate action to protect the confidentiality of such information in the course of its collection, use, transfer, storage or retention, dissemination and lawful destruction.
Application material has been included to provide examples of circumstances where a PA might seek authorisation to use or disclose confidential information. For certain matters, the authorisation could be of a general nature e.g. as found in some contracts signed between firms and their clients that permit the use of confidential information acquired in the course of a professional activity for the purposes of the firm’s internal training or other quality enhancement initiatives. The reference to “internal training” is intended to encompass the training of both internal AI systems and staff in either a firm or an employing organisation. In more specific circumstances where a PA seeks authorisation to use or disclose confidential information the revisions:
- Set out what a PA might communicate when seeking the authorisation, preferably in writing.
- Specify that such authorisation should be sought from the individual or entity that provided the confidential information.
The revisions recognise that professional judgment exercised by PAs might need to take into account the complexity of the circumstances that they face. Although complex circumstances have always existed and are not a new phenomenon specific to technology, rapid digitalisation has increased the interconnectedness of social, economic, legal and geopolitical systems, and is a complex circumstance that PAs are now facing. In this regard, the guidance included should not be restricted to technology-specific complex circumstances.
The revisions highlight that managing complexity involves:
- Making the firm or employing organization and, if appropriate, relevant stakeholders aware of the inherent uncertainties or difficulties arising from the facts and circumstances
- Being alert to any developments or changes in the facts and circumstances and assessing whether they might impact any judgments the accountant has made.
It might also involve other matters, including:
- Analysing and investigating as relevant, any uncertain elements, the variables and assumptions and how they are connected or interdependent.
- Using technology to analyse relevant data to inform the PA’s judgment.
- Consulting with others, including experts, to ensure appropriate challenge and additional input as part of the evaluation process.
The code revisions highlight facts and circumstances relating to the use of technology that might create threats for a PA when undertaking a professional activity. These include the self-interest threat that a PA might not have sufficient information and expertise, or access to an expert with sufficient understanding, to use and explain the technology and its appropriateness for the purpose intended. A self-review threat is created where the technology was designed or developed using the knowledge, expertise or judgement of the accountant or employing organisation/firm.
Preparing and presenting information
When preparing or presenting information, a PA who intends to use the output of technology whether internally or externally developed is required to exercise professional judgement to determine the appropriate steps to take, if any, to guard against matters such as bias or being associated with misleading information. Factors to consider include:
- the nature of the activity to be performed by the technology.
- the expected use of, or extent of reliance on, the output of the technology.
- whether the PA has the ability, or has access to an expert with the ability, to understand, use and explain the technology and its appropriateness for the purpose intended.
- whether the technology used has been appropriately tested and evaluated for the purpose intended.
- prior experience with the technology and whether its use for specific purposes is generally accepted.
- the employing organization’s/firm’s oversight of the design, development, implementation, operation, maintenance, monitoring, updating or upgrading of the technology.
- the controls relating to the use of the technology, including procedures for authorising user access to the technology and overseeing such use.
- the appropriateness of the inputs to the technology, including data and any related decisions, and decisions made by individuals in the course of using the technology.
Whilst ultimately it is the “output of the technology” that a PA will utilise in the delivery of their professional activity or service. in order to be able to use such output, the whole process of making use of the technology is considered within the application material as seen in the above bullets.
Selling, reselling or licensing technology
The revisions also cover situations where a firm or a network firm provides, sells, resells or licenses technology:
(a) to an audit client; or
(b) to an entity that provides services using such technology to audit clients of the firm or network firm.
Depending on the facts and circumstances, the requirements and application material in the non-assurance services provisions apply. This to cover situations where a firm may provide a non-assurance service via technology.
IT systems services
Providing IT systems services to an audit client can result in a firm assuming a management responsibility and include:
- Designing or developing hardware or software IT systems.
- Implementing IT systems, including installation, configuration, interfacing, or customization.
- Operating, maintaining, monitoring, updating or upgrading IT systems.
- Collecting or storing data or managing (directly or indirectly) the hosting of data.
Examples of IT systems services that result in the assumption of a management responsibility include where a firm or a network firm:
- Stores data or manages (directly or indirectly) the hosting of data on behalf of the audit client e.g.:
- Acting as the only access to a financial or non-financial information system of the audit client.
- Taking custody of or storing the audit client’s data or records such that the audit client’s data or records are otherwise incomplete.
- Providing electronic security or back-up services, such as business continuity or a disaster recovery function, for the audit client’s data or records.
- Operating, maintaining, or monitoring the audit client’s IT systems, network or website.
However, the collection, receipt, transmission and retention of data provided by an audit client in the course of an audit or to enable the provision of a permissible service to that client does not result in an assumption of management responsibility.