When the Financial Reporting Council (FRC) issued its Revised Ethical Standard 2024 (2024 ES) it aimed to do three main things: 

1. simplify the standard and add clarity in areas that were causing issues for auditors and assurance providers;
2. take account of updates made to the International Code of Ethics for Professional Accountants from the International Ethics Standards Board for Accountants (IESBA); and
3. add targeted restrictions on fees from entities related by a single controlling party.

The 2024 ES applies for periods commencing on or after 15 December 2024. Firms may complete engagements relating to periods commencing before this period in accordance with the 2019 ES, then put in place changes necessary for the subsequent engagement period. 

Going forward there are some key aspects of the 2024 ES for audit firms to be aware of.

ICAEW resources are available (see below) to support auditors to interpret and implement clarifications and changes around related matters, such as dependency on fees generated by entities with the same beneficial owner or controlling party, requirements to report breaches to the competent authority, and threats and safeguards related to provision of tax services.

This article will focus on another aspect of providing non-audit services which auditors will want to consider following clarifications in the 2024 ES: ethical considerations around data hosting.

New provisions around data hosting

“The updated area of the standard relating to data hosting is significant because it’s a fairly big change,” says Omid Tissier, a Senior Manager in the ethics team at BDO, who outlines why and how, during a faculty webcast highlighting key areas of the 2024 ES.  

New provisions relating to data hosting have been added in the 2024 ES, Section 5 Non-audit/Additional services, Section C Approach to Non-audit/Additional Services Provided in any Statutory Audit Engagement, in the Information Technology Services paragraphs 5.53 and 5.54.  

The IESBA International Code of Ethics for Professional Accountants is now substantively mirrored in para 5.53 of the FRC’s 2024 ES, which includes the following examples of IT services provided to an entity relevant to an engagement, which create threats to the integrity, objectivity and independence of the firm and covered persons storing or managing the hosting of data on behalf of an entity relevant to an engagement. Such services include: 

• Acting as the only access to financial or non-financial information systems of such an entity. 
• Taking custody of or storing the entity’s data or records such that the entity’s data or records are otherwise incomplete. 
• Providing electronic security or back-up services, such as business continuity or disaster recovery functions, for the entity’s data or records. 
• Operating, maintaining, or monitoring such an entity’s IT systems, network or website.

“Our interpretation at BDO is that these four areas are ordinarily prohibited, because they are likely to represent management responsibilities and thus auditors should not be doing them for audited entities,” says Tissier.

In evaluating threats to compliance with the standard’s overarching principles of integrity, objectivity and independence, all audit firms are advised to review their non-audit services and consider whether any of the areas included in the list of examples are relevant and if so, what action is needed. “Some firms may need to reorganise their arrangements,” says Tissier.

Pause for thought

Take the first two bullet points above, where the auditor might be acting as the only access to an information system, taking custody or storing the entity’s data effectively means that its data records are incomplete. “This will be problematic if we have entity data or information and the entity does not have access to that system,” says Tissier, even if the entity is without a copy of just one or two documents. “This would potentially put us in a situation where we are in non-compliance with the provisions in the standard.”

As highlighted in the third bullet point, auditors also need to be wary of situations where it appears that the entity is relying on the audit firm to archive entity data or keep it backed up. “It needs to be clear that the entity is retaining ownership of their data and that they are responsible for backing up their own data and storing it securely,” says Tissier.

Considering the fourth bullet point above, Tissier says that auditors cannot be responsible for the operational maintenance of an entity’s IT systems, network or website. “It’s the entity that has to be responsible for running their own software updates and keeping everything up to date,” says Tissier.

During the webinar, Tissier shares some insights on how BDO assessed its service offerings to see whether the data hosting aspects were present and, if so, what was the impact for services to audited entities. For example, company secretarial services, where it was maintaining registers on behalf of entities that did not have access to the live versions of these documents. 

After considering the impact to audited entities that use BDO’s company secretarial service, the firm decided to modify the service such that direct data access was available to the entity. As Tissier explains: “Now every time there is an update to their statutory registers, the audited entity is responsible for downloading it and then storing it securely on their own systems.”

Although compliance with the new provisions may be less of an issue for some firms, they do need to be considered, as it is increasingly common for firms and their clients to utilise and interact via cloud-based solutions. “We all need to think about how we are using them,” says Tissier. “It is sometimes a complex analysis and can take quite a bit of time.”

Clarification on audit-related IT services

In relation to all this, however, there is an important clarification that is provided in para 5.54 of the 2024 ES, which states:

“The collection, receipt, transmission and retention of data provided by an audited entity in the course of an audit or to enable the provision of a permissible service to that entity do not create the threats described in paragraph 5.53.”

“If you think about it, there will be many situations where this applies,” says Tissier. It’s usual for an audited entity to provide members of the audit team with documents and information via some sort of document sharing system, and for the auditor to use these documents and information to produce/prepare some kind of report or return, for the time it takes to complete an engagement.

“At BDO, there are lots of situations where this arises, and I’m sure it's the case with other firms,” he says, adding that this situation will not create threats to integrity, objectivity and independence. “It is often more complex, however, to analyse data held during the provision of non-audit services to decide whether this hosted data is held to enable the provision of that ultimate service (permitted), or whether the data is held and retained as part of the service itself (likely, not permitted).  Some situations can be quite judgemental.” 

It is important for all firms to thoroughly review non-audit services to determine whether these involve any of the data hosting examples listed in para 5.53, to consider the possible implications, determine whether changes are needed to any related arrangements and then communicate this clearly to audited entities, to ensure that the firm is not at risk of breaching new provisions in the 2024 ES.