For many years, the "Information Systems Design, Implementation, or Integration" interpretation (ET [section]1.295.145) in the AICPA Code of Professional Conduct provided guidance for information system services. Services of this type pose potential independence challenges and threats. The existing interpretation provided that the threats to independence would be at an acceptable level if a member took certain actions related to an attest client's financial information system (FIS).
In particular, threats arising if a member installed or integrated an attest client's FIS would be at an acceptable level as long as the member did not design or develop the system, and the member was also in compliance with the general requirements for performing nonattest services.
Though helpful, this language led to some questions and debate. For example, what did "install" mean, and how did this differ from "integrate"? Was this latter term the same as "design" and "implement"?
The existing interpretation also mentioned "off-the-shelf" software as an example of what would not create threats to independence. At least as many questions stemmed from what is considered an off-the-shelf accounting package. Some practitioners maintained that an off-the-shelf package should be any software product commercially available from a third party, such as a software vendor, and should include complex enterprise software products such as Oracle, SAP, and others. Those with this view believed these products could meet the requirement of not having been designed or developed by the member.
Others believed that the phrase "off-the-shelf" referred only to very simple software products that may be, for example, bought shrink-wrapped off the shelf or online from a retailer, loaded onto a client's computer, and immediately ready to use. Underlying this belief was a view that complex enterprise software products, which often come with myriad processing and data options to be chosen by the user, could perhaps lead to new functionality not designed by the third party that produced the software. This would mean that the member could end up somehow designing and implementing a "custom" system that no longer meets the supposed definition of an off-the-shelf software package.
These considerations, along with the need for a new hosting interpretation, prompted the AICPA Professional Ethics Executive Committee (PEEC) to organize a task force of representatives from several accounting firms, supported by AICPA staff, to review the guidance in the interpretation and determine how it might be clarified and improved.
The result of the task force's work was PEEC's adoption of a modernized interpretation on information system services that was issued in June, takes effect Jan. 1, 2021, and allows for early implementation.
KEY INFORMATION SYSTEMS SERVICES CONCEPTS
To better understand the revised interpretation, readers should bear in mind some important fundamental principles, concepts, and definitions. Let's start with the definitions. At the core of many information systems services are terms such as "install," "design," "configure," "develop," "implement," "customize," "interface," "commercial off-the-shelf (COTS) software," and...