Provision of non-assurance services to an audit client

The revisions to the 2025 edition of the Code provide guidance and application material to assist firms and network firms in identifying and evaluating self-review threats that might be created by the provision of a non-assurance service to an audit client.

Such self-review threats include the provision of advice and recommendations; and the provision of multiple non-assurance services to the same audit client. The revisions also identify certain situations where a self-review threat to independence is not created.

The revisions emphasise that the concept of materiality is not relevant in circumstances where the Code expressly prohibits the provision of non-assurance services to an audit client.

Of particular significance, is new section R600.17, which introduces a new general prohibition on the provision of a non-assurance service to an audit client that is a PIE, where the provision of that service might create a self-review threat in relation to audit of the financial statements on which the firm will express an opinion.

The revisions introduce new and detailed provisions to strengthen and improve the quality of a firm’s communication with those charged with governance about non-assurance-service-related matters, especially in the case of audit clients that are PIEs and entities within that PIE’s corporate structure.

The revisions address the situation in which an audit client subsequently becomes a PIE and the actions that should be taken to address independence threats; and provide guidance on documenting compliance with the non-assurance services provisions of the Code.

Application of the Conceptual Framework

New section R600.9 requires a firm or network firm to apply the Conceptual Framework and to identify, evaluate and address any threats to independence, before accepting an engagement to provide non-assurance services to an audit client.

New section 600.5 acknowledges that new business practices, evolution in financial markets and new technological developments make it difficult to draw up a conclusive list of non-assurance services. However, the Conceptual Framework and the general provisions of section 600 will apply where there are no specific requirements or application material in relation to a particular specified category of non-assurance services. Where local laws and regulations exist, firms should comply with those provisions that might be more stringent than the provisions in the Code (Section 600.7A1).

Section 600.6 confirms that the provisions of section 600 apply where a firm or network firm is using technology to provide non-assurance services to an audit client; or provides, sells or licenses technology which results in the provision of a non-assurance service to an audit client (or to an entity that provides services using such technology to audit clients of the firm or network firm).

Identification of potential threats

New Section 600.10 A2 sets out a range of factors which are relevant to identifying and evaluating threats. These include whether the client is a PIE and whether the outcome of the service will affect the accounting records or matters reflected in the financial statements on which the firm will express an opinion.

Other factors include the:

• nature, scope, intended use and purpose of the service;
• manner in which the service will be provided (including personnel and their location);
• client’s dependency on the service;
• legal and regulatory environment in which the service is provided;
• level of expertise of the client’s management and employees;
• extent to which the client determines significant matters of judgement;
• nature and extent of the impact of the service (if any) on the systems that generate information relating to accounting records financial statements or internal controls over financial reporting;
• degree of reliance that will be placed on the outcome of the service as part of the audit;
• fee relating to the provision of the service.

Self-review threats

New section 600.12.A1 notes that the provision of advice and recommendations to an audit client might create a self review threat. By section R600.15, before providing any advice or recommendations, the firm or network must evaluate whether there is a risk that:

• the results of the service will form part of, or affect the accounting records, internal control over financial reporting or the financial statements on which the firm will express an opinion; and
• in the course of the audit of the financial statements on which the firm will express an opinion, the audit team will evaluate or rely on any judgements made (or activities performed) by the firm or network firm when providing the service. 

Section 600.14 emphasises that where a firm or network firm provides a non-assurance service to an audit client, there may be a risk of the firm auditing is own or the network firm’s work, thereby giving rise to a self-review threat.

Provision of multiple services

New section R600.13 provides that where a firm or network firm provides multiple non-assurance services to one audit client, the firm shall consider both the potential threats created by the provision of each service individually; and the potential threat created by the combined effect of the provision of multiple services and any impact that might have on the firm’s independence.

Section 600.13.A1 sets out additional factors to consider which are relevant to a firm’s independence, when providing multiple non-assurance services.

Materiality

Section 600.11 A1 notes that materiality is relevant to the evaluation of threats created by providing non-assurance services to a client and that assessing materiality involves the exercise of professional judgement. However, where the Code expressly prohibits the provision of non-assurance services to an audit client, firms or network firms are not permitted to provide the service, regardless of the materiality of the outcome or results that the provision of the non-assurance service may have on the financial statements (600.11.A2).

Provisions relating to PIEs

New section R600.17 introduces a new general prohibition on the provision of a non-assurance service to an audit client that is a PIE, if the provision of that service might create a self-review threat in relation to audit of the financial statements on which the firm will express an opinion.

The rationale for the prohibition is set out in section 600.16A1 (the heightened expectations of stakeholders regarding a firm’s independence in relation to the audit of PIEs). New section 600.16 A2 emphasises that where the provision of non-assurance services to PIE client might create a self-review threat; such a threat cannot be eliminated, and safeguards are not capable of reducing the threat to an acceptable level.

However, new section R600.18 provides an exception: a firm or network firm may provide advice and recommendations to a PIE audit client in relation to information or matters arising in the course of an audit provided that the firm:

• does not assume a management responsibility; and
• applies the Conceptual Framework to identify, evaluate and address threats to independence that might be created by the provision of such advice.

New section 600.18.A1 provides examples of the type of advice and recommendations that can be provided. These include advising on: accounting and financial reporting standards and disclosure policies; appropriateness of financial and accounting controls; proposals for adjusting journal entries arising from audit findings; and other specific examples.

Addressing threats

New Section 600.19 A3 sets out examples of safeguarding actions that can be taken to address identified threats. These include: using professionals who are not part of the audit team to perform the service; having an appropriate reviewer who was not involved in the provision of the service to review the audit work or service performed; and obtaining pre-clearance of the outcome of the service from the appropriate authority (for example, a tax authority).

However, section 600.19. A4 acknowledges that safeguards might not be available to reduce any potential threat to an acceptable level. In such circumstances, the firm is required to:

• adjust the scope of the proposed service to eliminate the circumstances creating the threats;
• decline or end the service; or
• end the audit engagement.

Strengthening communication with those charged with governance

PIE audit clients

New sections R600.22 to R600.24 require a firm to communicate with those charged with governance of a PIE audit client before the firm or network firm provides non-assurance services to entities within the corporate structure of which the PIE forms part, and which might create threats to the firm’s independence from the PIE.

The purpose of the communication is set out in new section 600.21.A1: to enable those charged with governance of the PIE to have effective oversight of the independence of the firm that audits the financial statements of that PIE.

New section 600.21.A2 sets out the detailed features that a suitable communication process should contain. These include matters such as:

• the basis for provision of information (under a general policy or on an individual engagement basis);
• identification of entities in the corporate structure that will be covered by the process;
• identification of any services that may be provided under a general policy without the need for specific approval;
• how those charged with governance of multiple PIEs within the same corporate structure have determined that authority for approving services is to be allocated;
• the procedure to be followed where provision of information may be prohibited by professional standards, laws or regulations or might result in the disclosure of confidential or sensitive information; and
• how any matters not specifically covered by the process are to be resolved.

Unless specifically addressed under the communication process; certain information must be provided before a firm audits the financial statements of a PIE; or a network firm accepts an engagement to provide a non- assurance service to that PIE, any entity that controls the PIE ( directly or indirectly), or any entity that is controlled by the PIE (directly or indirectly).

This information is set out in new section R600.22.

Firstly, the firm must inform those charged with governance of the PIE, that it has determined that the provision of the service:

• is not prohibited; and
• will not create a threat to the firm’s independence as auditor of the PIE (or that any identified threat is at an acceptable level or, if not, will be eliminated or reduced to an acceptable level).

Secondly, the firm must also provide those charged with governance of the PIE with information to enable them to make an informed assessment about the impact of the provision of the service on the firm’s independence.

New section 600.22.A1 sets out examples of the type of information to be provided to those charged with governance of the PIE. These include information about the nature and scope of the service to be provided; basis and amount of the proposed fee; the basement for any assessment that potential threats have been reduced to an acceptable level; and whether the combined effect of providing multiple services might create threats to independence or change the level of any previously identified threats.

By new section R600.23, a firm or network firm shall not provide a non-assurance service to any of the entities referred to in paragraph R600.21 unless those charged with governance of the PIE have concurred (either under a process agreed with those charged with governance or in relation to a specific service) with:

• The firm’s conclusion that the provision of the service will not create a threat to the firm’s independence as auditor of the PIE (or that any identified threat is at an acceptable level or, if not, will be eliminated, or reduced to an acceptable level); and
• The provision of that service. 

However, new section R600.24 provides an exception to paragraphs R600.22 (the requirement to provide information to those charged with governance) and R600.23 (the requirement for those charged with governance to concur), in circumstances where the provision of information is prohibited by professional standards, laws or regulations; or would result in disclosure of sensitive or confidential information.

By new section R600.25, having taken into account any matters raised by those charged with governance, a firm or network firm should decline to provide the non-assurance service or end the audit engagement if:

• the firm or network firm is not permitted to provide the specified information to those charged with governance of a PIE Audit Client (if not covered by the communication process agreed in advance); or
• those charged with governance of a PIE disagree with the firm’s conclusion that the provision of the non-assurance service does not create a threat to independence (or that any threat has been eliminated or reduced to an acceptable level). 

Audit client that subsequently becomes a PIE

New section R600.26 provides that where an audit client subsequently becomes a PIE, the provision of non-assurance services (either currently or previously) to that client, will impair the independence of the firm or network firm unless the actions and circumstances specified in that section are fulfilled. These include ending any prohibited non-assurance services services before the client becomes a PIE (or as soon as possible afterwards); and agreeing further actions with those charged with governance, to reduce any threats to independence.

New section R600.26.A1 provides examples of the sorts of further action that might be taken, including recommending a review of the affected audit work (or performing the audit again), to the extent that is necessary.

Documentation

New section 600.28.A1 provides guidance on documenting the firm’s conclusions on compliance with the non-assurance service provisions in the Code. These include setting out:

• key elements of the firm’s understanding of the nature of the non-assurance service to be provided, and whether and how the service might impact on the financial statements on which the firm will express an opinion;
• the nature of any threat to independence created by providing the non-assurance service to the client (including whether the results of the service will be subject to audit procedures); and
• the extent of management’s involvement in the provision and oversight of the proposed non-assurance service;
• any safeguards applied and actions taken to address threats to independence; and
• the firm’s rationale for determining that the new service is not prohibited.

Specific types of service

Section 600 of the Code includes further detailed sections on the provision of particular types of non-assurance services. These include:

• accounting and bookkeeping services (ss 601));
• administrative services (ss 602);
• valuation services (ss603);
• tax services(ss 604);
• internal audit services (ss 605);
• information technology services (ss 606);
• litigation support services (ss 607);
• legal services (ss 608);
• recruiting services (ss 609); and
• corporate finance services (ss 610).

For each of these specified services, the relevant section includes a description of the service; the potential threats that may arise ( including self-review threats, threats to independence and the risk of assuming a management responsibility); specific provisions relating to PIES; and prohibited activities (where relevant). 

Professional accountants providing these specific types of non-assurance services should ensure that they are familiar with provisions of the relevant sub-sections of the Code.

IESBA support

IESBA has published further explanation of the changes, including a mapping exercise comparing the new and previous non-assurance service provisions of the Code.