Case 4-9 PWC Mischaracterizes Nonaudit Services PWC violated SEC rule 20203) ofRegulation S-X and PCAOB Rule 3525 by engaging in improper professional conduct In violation of the independence rules on audit clients. This case is unique because the rm had mischaracterized certain nonaudit services as part of the audit engagement to skirt its ethical responsibilities under SEC and PCAOB rules. In 2014, PWC performed nonaudit services for an audit client concerning Governance Risk and Compliance (GRC) software According to AAER No. 4084. \"GRC systems are used by companies to coordinate and monitor controls over nancial reporting, including employee access to critical nancial functions." The client \"intended to use the GRC software to generate information as part of the company's control environment and to provide data to assist personnel in forming conclusions regarding the effectiveness ofinternal controls related to nancial information systems." At the time, the GRC system was being implemented, it was intended to be subject to the internal control over nancial reporting audit procedures. As stated in AAER No. 4084, the SEC rules}z \"prohibit independent auditors from designing and implementing systems such as GRC where the software aggregates source data or generates information signicant to the clients' nancial statements or other nancial systems as a whole, Designing, implementing, or operating systems affecting the nancial statements can result in the accountant auditing his or her own work or attesting to the effectiveness of internal control systems designed or implemented by that accountant. The independence rules also prohibit an independent auditor from performing management functions,\" Communications between PWC and its audit client show that the client's head of internal audit was concerned whether the rm could provide an implementation proposal and inquired about auditor independence. Brandon Sprankle, who was the partner responsible for supervising the performance of prohibited nonaudit services. violated SEC Rule 202 when he responded that \"we are absolutely permitted to implement so there will be no issues. , even though he was aware that the rm's independence policies did not allow it or him to implement the GRC system. Communications with the client show the disconnect between the client's expectations and how PWC was describing its information systems services ostensibly to skirt the requirement not to perform certain nonaudit services for audit clients, An e-mail from the then head of internal audit of the client, who objected to the description of services contained in the draft engagement letter. informed PWC that the proposed work was an implementation project that's been outsourced to the rm. The nal engagement letter described the work on the GRC project \"as performing assessments and high-level recommendations" even though an internal PWC communication had characterized the engagement as a design and implementation project summarizes key communications over time. EXHIBIT 1 Tlmellne of PWC'S Design and Implementation of the Financial-Related Information System, in seeking internal authorization to perform the nonaudit GRC work, Brandon Sprankle drafted an engagement letter for approval by PwC's Risk Assurance Independence i\"RAi") group, an independencerreviewer within his business unit. in the draft engagement letter, Sprankle described the proposed services as assessing multiple areas, and providing obsen/ations and recommendations, as opposed to designing and implementing the GRC project. This description was inconsistent with issuer A's expectation that ch would conduct a design and implementation project as previously communicated to Sprankle. internal Audltor's Objections in early June 2014. issuer A again puts Sprankle on notice that it expected l>wc to design and implement a GRC solution for issuer A and to manage the prOjeci. After Sprankle sent the draft engagement letter, issuer A's thenrHead Of Internal Audit objected to the description 0' the services contained in the draft engagement letter. in the email, he iniormed Sprankle that the proposed work was an \"implementation project that's been outsourced" to PWC. Sprankle thereaiter met with the thenrHead of internal Audit, who understood from speaking with Sprankle that PWC would substantially design and implement the GRC module and would perform project management functions. At the time. me was continuing its audit of issuer A for ilscal year 2014 and, due to issuer A's prior accounting errors, performing additional audit work for fiscal years 2011 and 2012. The Head oi internal Audit was concerned that vat: would be performing internal audit-type services. The final engagement letter for the GRC project described the work as performing assessments and hlgnrlevel recommendations. However, as internal ch communications reflect, cenain ch employees characterized the engagement as a design and implementation project For example, in a July 2014 email, a PWC manager communicated his view to Sprankle that the project involved the implementation or a rlnanclalr related information system. in August 2014. PM began the GRC work To start the work, another ch manager. who Sprankle supervised, instructed a we associate to prepare a design document \"i need you to immediately begin working on creating a design document for how [the GRC module] will be built for the [GRC] rules We already know about. Below are the SOD [Segregation 0t Duties, an internal control Concept allocating duties among employees] rules we know we need to build. . . ." Management 0' the Project From August through mid-October 2014, we employees under Sprankle's supervision managed the project, performed substantial design work. configured the design on a nonproductlon server, and promoted oversight and direction for the implementation to alive environment. According to its senior manager for IT internal Audit: issuer A had little involvement in the assessment and design phase of the project; further, Issuer A lacked the technical expertise to contigure the systematic}, although issuer A ultimately had to approve the work, Sprankle and we employees under his supeNision exercised decisionrmaking authority in designing and configuring the GRC module, As the project progressed in September 2014. the PWC manager emailed the senior manager for iT Internal Audit at issuer A, who had oversight of the project. and copied Sprankle, about problems with the GRC server and application that needed to be addressed before ch could perform development work: \"We identified some critical issues that need to be resolved before we can get in there and do the development." Throughout the course ofthe GRC engagement, issuer A considered we to be the system implementei and deferred to ch on best practices ior settings that needed to be included in the system. Further, according to the senior manager ior iT internal Audit. issuer A allowed ch \"to make those decisions for us" and, although an issuer A employee would technically have his hands on the keyboard, a ch employee, under Sprankle's supervision. managed the process and directed the issuer A employee on what actions to take SEC/PCAOB Rule Violations Page 226 The rm agreed to pay over $7.9 million to settle charges With the SEC that It performed prohibited nonaudit services during an audit eng gement including exercising decision-making authority in the design and implementation of software relating to an audit client's nancial reporting and engaging in management functions. The rm violated PCAOB Rule 3525 by failing to describe in writing to the audit committee the scope of work, discuss the potential effects ofwork on independence, and document the substance of the independence discussion. These actions deprived the issuers' audit committee of information necessary to assess PWC's independence. The Violations occurred due to breakdowns in PwC's independence- related quality controls. which resulted in the rm's failure to carefully review and monitor whether nonaudit services for audit clients were permissible and approved by clients' audit coriimittee.-'3 This case illustrates a concern that in some cases audit rms are misrepresenting nonaudit services as part ofthe audit services to get around the rules that prohibit certain nonaudit services for audit clients Purposely doing so misleads the users ofnancial statements about the independence of the client. Questions 1. Identify any threats to independence that existed in this case. Explain how and why PWC ignored those threats to independence. 2. How would you characterize this case from the perspective of corporate governance at PWC and implementation of its own quality controls? 3, What ethical norms did PWC partner Brandon Sprankle Violate