SEC, PCAOB, and Other Independence Rules
While the AICPA Code of Professional Conduct establishes the ethical baseline for all CPAs, auditors of issuers (public companies registered with the SEC) must also comply with the more stringent independence rules of the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). The Sarbanes-Oxley Act of 2002 (SOX) significantly tightened independence requirements in response to high-profile corporate scandals.
For the AUD exam, you must understand how SEC and PCAOB rules differ from AICPA rules, which services are prohibited for issuer audit clients, and the specific requirements for partner rotation and cooling-off periods.
Regulatory Framework: Who Governs What?
| Regulatory Body | Scope | Key Authority |
|---|---|---|
| AICPA | All CPAs (primarily governs nonissuer engagements) | Issues the Code of Professional Conduct; sets SASs through the Auditing Standards Board |
| SEC | Public companies (issuers) and their auditors | Establishes independence rules under Regulation S-X, Rule 2-01; has ultimate authority over auditor independence for issuers |
| PCAOB | Registered public accounting firms auditing issuers | Sets auditing standards (ASs) and ethics/independence rules for issuer audits; inspects registered firms |
| SOX (Sarbanes-Oxley Act) | Issuers and their auditors | Federal law that created the PCAOB and established statutory prohibitions on certain non-audit services |
For issuers, when there is a conflict between AICPA rules and SEC/PCAOB rules, the more restrictive rule applies. In practice, the SEC and PCAOB rules are almost always more restrictive. For nonissuers, only AICPA rules apply (unless state boards or other regulators impose additional requirements).
SEC Independence Rules
The SEC's independence framework is codified primarily in Regulation S-X, Rule 2-01. The SEC defines independence broadly: an auditor is not independent if the auditor is not, or a reasonable investor would conclude the auditor is not, capable of exercising objective and impartial judgment on all issues in the audit.
Key Differences from AICPA Rules
| Area | AICPA Rule | SEC Rule |
|---|---|---|
| Financial interests | Direct = always prohibited; indirect = prohibited if material | Same general framework, but SEC rules apply to a broader set of "covered persons" in the firm (not just the engagement team) |
| Business relationships | Evaluated through conceptual framework | More prescriptive; joint business ventures and similar arrangements are specifically prohibited |
| Nonattest services | Permitted with three safeguards (client oversight, management responsibility, no management role) | Many services are categorically prohibited by SOX — safeguards cannot cure the impairment |
| Scope of "covered persons" | "Covered members" include the engagement team, those who can influence the engagement, and the firm | SEC's definition of "covered persons" can extend to other partners in the office that participates in a significant portion of the audit |
| Cooling-off period | One year before a former practitioner's association with a client impairs independence | One year before a former engagement team member can accept certain positions at an issuer client (see below) |
| Contingent fees | Prohibited for attest clients | Prohibited for audit clients and certain related entities |
Example: Gies Co. is a publicly traded company. Its audit firm wants to provide internal audit outsourcing services to Gies Co. Under AICPA rules, this might be permissible with appropriate safeguards. Under SEC/PCAOB rules, internal audit outsourcing for an issuer audit client is prohibited — no amount of safeguards can remedy the impairment.
Prohibited Non-Audit Services Under SOX and PCAOB Rules
Section 201 of the Sarbanes-Oxley Act explicitly prohibits a registered public accounting firm from providing the following non-audit services to an issuer audit client contemporaneously with the audit:
| Prohibited Service | Rationale |
|---|---|
| Bookkeeping or other services related to the accounting records or financial statements | Creates a self-review threat — the auditor would be auditing their own work |
| Financial information systems design and implementation | Could impair objectivity if the auditor designed the systems they are now evaluating |
| Appraisal or valuation services, fairness opinions, or contribution-in-kind reports | The auditor would be auditing estimates or valuations they produced |
| Actuarial services | Self-review threat for pension and insurance-related amounts |
| Internal audit outsourcing | The auditor would be relying on their own internal audit work during the financial statement audit |
| Management functions or human resources | Management participation threat |
| Broker-dealer, investment adviser, or investment banking services | Creates financial self-interest and advocacy threats |
| Legal services and expert services unrelated to the audit | Advocacy threat |
| Any other service the PCAOB determines by regulation is impermissible | Catch-all provision |
These prohibitions are absolute for issuer audit clients. Unlike AICPA rules, there is no conceptual framework exception — the services simply cannot be provided to an audit client regardless of safeguards. However, the firm may provide these services to non-audit clients and to affiliates of the audit client that are not in the audit scope, subject to specific conditions.
Permitted Non-Audit Services for Issuers
Not all non-audit services are prohibited. A firm may provide other services — most notably tax compliance and tax planning services — to an issuer audit client, provided:
- The services are pre-approved by the audit committee
- The services do not involve prohibited tax transactions (see Tax Services section below)
Audit Committee Pre-Approval Requirement
Under SOX and SEC rules, all audit and non-audit services provided by the audit firm to an issuer client must be pre-approved by the audit committee of the client's board of directors.
- The audit committee may establish pre-approval policies and procedures for certain routine services, rather than approving each engagement individually
- There is a de minimis exception: non-audit services that do not exceed 5% of total fees paid to the auditor may be approved retroactively, provided they were not recognized as non-audit services at the time and are brought to the committee's attention promptly
- The audit committee cannot delegate pre-approval authority to management
Example: Kingfisher Industries' audit committee reviews and pre-approves a list of permitted tax services and their estimated fees at the beginning of each year. When the audit firm proposes providing a new advisory service mid-year, the firm must return to the audit committee for specific approval before beginning the work.
Partner Rotation Requirements
PCAOB Rules (Issuers)
To prevent familiarity threats, the PCAOB and SEC require mandatory rotation of certain audit partners on issuer engagements:
| Partner Role | Rotation Requirement | Cooling-Off Period |
|---|---|---|
| Lead engagement partner | Must rotate off after 5 consecutive years | 5-year cooling-off period before returning |
| Engagement quality review (EQR) partner | Must rotate off after 5 consecutive years | 5-year cooling-off period |
| Other audit partners (those with significant engagement responsibilities) | Must rotate off after 5 consecutive years | 2-year cooling-off period |
The key numbers to memorize are 5-5-5-2: five years on, five-year cooling-off for lead and EQR partners, and two-year cooling-off for other significant partners. The AICPA does not require mandatory rotation for nonissuer engagements (though firms may adopt rotation policies voluntarily).
AICPA Rules (Nonissuers)
The AICPA does not require mandatory partner rotation for nonissuer engagements. However, the AICPA's quality management standards encourage firms to establish policies addressing long association with an attest client and the familiarity threat it creates.
Cooling-Off Period for Employment
SEC Rules
When a member of the audit engagement team leaves the audit firm and joins an issuer audit client in a financial reporting oversight role, a one-year cooling-off period applies. Specifically:
- The individual must not have been a member of the engagement team during the one-year period preceding the date that audit procedures began for the fiscal year that includes the date of the individual's employment
- Financial reporting oversight role includes positions such as CEO, CFO, controller, chief accounting officer, and any other position that exercises influence over the financial statements
Example: A senior manager at the firm that audits MAS Inc. accepts a position as MAS Inc.'s controller. For the firm to remain independent, the individual must not have served on the MAS Inc. engagement team during the one-year period before the start of the audit for the fiscal year in which the individual joins MAS Inc. If the manager worked on the MAS Inc. audit within the prior year, the firm's independence is impaired.
The SEC cooling-off rule is more prescriptive than the AICPA rule. The AICPA uses a conceptual framework approach for former practitioners, while the SEC imposes a bright-line one-year rule for issuer audits.
Tax Services Restrictions Under PCAOB Rules
While tax services are not categorically banned for issuer audit clients, the PCAOB imposes important restrictions:
Prohibited Tax Services for Issuer Audit Clients
- Tax services to persons in financial reporting oversight roles at the audit client (and their immediate family members) are prohibited
- Marketing, planning, or opining in favor of aggressive tax positions that are initially recommended by the auditor and that are confidential or aggressive (lacking substantial authority) are prohibited
- Tax services related to certain "listed transactions" (transactions identified by the IRS as tax avoidance) are prohibited
Permitted Tax Services
- Routine tax compliance (preparing tax returns) — permitted with audit committee pre-approval
- Tax planning and advice on established positions — permitted with audit committee pre-approval, provided the firm does not act as an advocate
Example: BIF Partners (a public company) asks its audit firm to prepare its corporate tax return. This is permitted as long as the audit committee pre-approves the service. However, if the audit firm were to design and market an aggressive tax shelter strategy to BIF Partners, that service would be prohibited.
Comparison: AICPA vs. SEC/PCAOB Independence
| Feature | AICPA (Nonissuers) | SEC/PCAOB (Issuers) |
|---|---|---|
| Approach | Conceptual framework (threats and safeguards) supplemented by specific rules | Specific prohibitions supplemented by a general independence standard |
| Nonattest services | Permitted with three safeguards | Many services categorically prohibited by SOX |
| Partner rotation | Not required | Required: 5 years on, 5-year or 2-year cooling-off |
| Audit committee pre-approval | Not required (no audit committee requirement for most nonissuers) | Required for all audit and non-audit services |
| Tax services | Generally permitted with safeguards | Permitted with restrictions and audit committee approval; certain tax services prohibited |
| Cooling-off for employment | Conceptual framework evaluation | Bright-line one-year rule |
| Contingent fees | Prohibited for attest clients | Prohibited for audit clients |
| Scope of covered persons | Engagement team, those who influence engagement, the firm | Broader — can include all partners in the office participating in a significant portion of the audit |
On the CPA exam, many independence questions ask you to determine whether independence is impaired. Always consider first: Is the client an issuer or nonissuer? This determines which set of rules applies. If the client is an issuer, apply the more restrictive SEC/PCAOB rules.
SOX Whistle-Blower Protections
Section 806 of the Sarbanes-Oxley Act provides federal protection for employees of publicly traded companies who report suspected fraud or securities violations. These protections are designed to encourage internal reporting and shield whistle-blowers from employer retaliation.
Protected Activities
An employee is protected when they provide information or assist in an investigation regarding conduct the employee reasonably believes constitutes:
- A violation of federal securities laws (including SEC rules and regulations)
- Mail fraud, wire fraud, or bank fraud
- Any rule or regulation of the SEC
- Shareholder fraud or other violations related to the company's financial statements
The employee may report to a federal regulatory or law enforcement agency, any member or committee of Congress, or a person with supervisory authority over the employee within the company.
Prohibited Retaliation
An employer (including officers, employees, contractors, subcontractors, and agents) may not discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee because of lawful whistle-blowing activity.
Remedies for Retaliation
If an employee prevails in a whistle-blower complaint, the compensatory damages typically awarded include:
| Remedy | Description |
|---|---|
| Reinstatement | Restoration to the same or equivalent position with the same seniority status |
| Back pay with interest | Compensation for lost wages during the period of wrongful termination or demotion |
| Special damages | Compensation for additional harm such as litigation costs, expert witness fees, and reasonable attorney fees |
SOX whistle-blower protections apply to employees of publicly traded companies (issuers). The employee need only have a reasonable belief that a violation occurred — the belief does not have to be correct. Filing a complaint must occur within 180 days of the retaliatory action.
Other Independence Considerations
Government Auditing Standards (Yellow Book)
Auditors performing audits under Government Auditing Standards (issued by the GAO) must comply with additional independence requirements. These standards are generally consistent with AICPA rules but include more restrictive provisions on nonattest services provided to government audit clients.
State Boards of Accountancy
Individual state boards may impose additional independence requirements beyond those of the AICPA, SEC, or PCAOB. CPAs must comply with the rules of the state(s) in which they are licensed.
Summary
| Rule | Key Takeaway |
|---|---|
| SOX prohibited services | Nine categories of services are absolutely prohibited for issuer audit clients |
| Audit committee pre-approval | Required for all audit and non-audit services provided to issuers |
| Lead/EQR partner rotation | 5 years on, 5-year cooling-off |
| Other partner rotation | 5 years on, 2-year cooling-off |
| Employment cooling-off | 1 year before joining an issuer client in a financial reporting oversight role |
| Tax services | Generally permitted with pre-approval, but aggressive/listed transactions are prohibited |
| AICPA vs. SEC/PCAOB | SEC/PCAOB rules are more restrictive and apply to issuer engagements |
| SOX whistle-blower protections | Employees of issuers who report fraud are protected from retaliation; remedies include reinstatement, back pay with interest, and special damages |
When a CPA exam question involves independence for a public company, immediately think SOX and PCAOB. The prohibited services list, partner rotation schedule, and cooling-off rules are heavily tested. For private company questions, apply AICPA rules and the conceptual framework approach.