Non-Audit Services and Auditor Independence: Is It Time for a Governance Reset?

Opening proposition

Recent events involving major professional services firms have returned an old governance question to the boardroom: when, if ever, should a company engage its external auditor to perform non-audit services?

The answer should not be reduced to a slogan. Non-audit services are not automatically improper. There are situations where the audit firm’s knowledge of the business, systems, controls, tax profile or regulatory environment can produce a real benefit for the company. However, the governance question is not whether the work is convenient, efficient or commercially attractive. The question is whether the company can demonstrate that the engagement is compatible with auditor independence, both in fact and in appearance.

That distinction matters. Independent audit is part of the trust architecture of corporate reporting. If investors, lenders, regulators or employees believe the auditor has become too commercially close to management, the audit opinion can lose credibility even where no technical breach has occurred. Recent events have not created the issue. They have made the issue harder for boards and audit committees to ignore.

What are non-audit services?

In this article, non-audit services (NAS) means services provided by the external audit firm, or its network, to an audit client outside the statutory financial audit engagement. Examples may include tax services, due diligence, agreed-upon procedures, assurance-related work, technology, internal control, cyber, sustainability, valuation, transaction, governance, regulatory and other advisory services.

The precise classification matters. Some work is plainly prohibited because it creates an unacceptable threat to independence. Some work may be permitted only after a documented assessment and approval by those charged with governance. Some work may be required by law or regulation, such as assurance over particular corporate reports, and should be distinguished from discretionary consulting. A well-drafted policy should avoid treating all “other services” as one undifferentiated category.

The Australian framework

Australia does not generally impose a blanket ban on an auditor providing all NAS to an audit client. Instead, the framework uses a combination of statutory disclosure, professional independence rules, audit committee oversight and market scrutiny.

The Corporations Act framework requires the auditor’s independence declaration to be included in the directors’ report. For listed companies, the directors’ report must also include a statement about whether the provision of non-audit services by the auditor is compatible with the general standard of auditor independence, and why. ASIC guidance also emphasises that independence must exist in fact and appearance.

AASB 1054 requires disclosure of fees paid or payable to the auditor, including for audit/review services and for other services. APES 110 Code of Ethics for Professional Accountants, including Independence Standards, requires firms to identify, evaluate and address threats to independence before providing NAS to an audit client. For public interest entity audit clients, the rules are particularly stringent. A firm must not provide a non-assurance service that might create a self-review threat, and the firm must communicate with those charged with governance so that they can oversee independence.

For boards and audit committees, the practical point is clear: approval of NAS is not a procurement formality. It is an independence decision, a disclosure decision, a risk decision and, increasingly, a culture and confidence decision.

What history tells us

The debate is not new. It was prominent after the corporate failures and audit controversies of the early 2000s, including Enron internationally and HIH in Australia. The Ramsay report and the subsequent CLERP 9 reforms did not recommend a complete prohibition on NAS. They favoured a principles-based independence framework, stronger disclosure and stronger audit committee oversight.

Public Australian data does not provide a neat, continuous 1985 to 2025 time series. That limitation should be acknowledged. However, the available material does show useful patterns.

First, the policy debate has moved from “can the auditor do consulting work?” to “what threats are created, who assesses them, how are they documented and how is the market informed?”. Secondly, Australian listed company data reviewed by the AUASB for 2012 to 2018 suggested a decline in NAS purchased from audit firms by listed audit clients over that period, and a declining ratio of NAS fees to audit fees. Thirdly, the major audit firms’ broader consulting and advisory businesses have grown, but much of that advisory revenue has been earned from entities that are not audit clients.

These patterns support a balanced conclusion. The market has not ignored the risk, but the risk has not disappeared. Nor should boards assume that a declining aggregate trend means their own policy, controls or culture are adequate.

Why companies still use their audit firms

There are legitimate reasons why companies may want to use their audit firm for particular NAS. The firm may already understand the company’s systems, controls, reporting timetable, tax profile and industry. This can reduce onboarding time, avoid duplication and improve the quality of technical advice. In some specialised areas, the audit firm may have deep expertise, global reach or access to multidisciplinary teams that are difficult to replicate.

These benefits are real, but they are not decisive. The audit committee should require management to explain why the external auditor is the appropriate provider, whether another provider could do the work, whether the engagement creates any actual or perceived independence threat, and whether the benefit outweighs that threat. “They know us already” is not, by itself, an adequate governance reason.

The risk map

The key risks are familiar but need renewed discipline.

Self-review risk arises where the audit firm may later need to audit or assure work it performed, systems it designed, estimates it developed, judgments it influenced or controls it helped implement. Advocacy risk arises where the firm promotes the company’s position in a dispute, transaction or regulatory process. Management-responsibility risk arises where the firm makes decisions that should be made by management. Familiarity and economic-dependence risks arise where the relationship becomes too close or too financially important. Perception risk arises where, even if technical safeguards exist, an informed observer may reasonably question the auditor’s objectivity.

Recent concerns involving professional services firms add another dimension: confidentiality and information-use risk. If a firm performs advisory work for multiple major clients, holds sensitive board papers, participates in tenders, or has strong cross-selling incentives, the audit committee should ask how client information is protected, who can access it, how conflicts are identified, how whistleblower concerns are escalated, and how the firm’s culture supports independence.

Sustainability reporting raises the stakes

Sustainability reporting and assurance deserve specific attention. Australia’s mandatory climate-related financial disclosure regime will increase demand for assurance, data, systems, controls and advisory services. Where the same audit firm is the financial auditor and the sustainability assurance provider, the company should be especially careful about using that firm for climate-report preparation, methodology development, data-system design, controls implementation or remediation that the firm may later need to assure.

A sensible policy should distinguish between legally required assurance, permissible assurance-related work and prohibited or high-risk advisory services. In many cases, companies will be better served by using a separate adviser for readiness, design and implementation work, leaving the auditor to provide independent assurance.

What public NAS policies show

Publicly available Australian company policies show a broadly consistent architecture. They usually define NAS, list prohibited services, set approval thresholds, require audit committee oversight and require periodic reporting.

The differences are in calibration. Some policies prohibit all NAS unless positively approved by the audit committee. Some permit management approval below a dollar threshold. Some set annual caps by reference to a percentage of audit or audit-and-assurance fees. Examples reviewed for this article include policies with CFO approval triggers of $25,000 to $50,000, audit committee or chair escalation above specified thresholds, and annual caps or review triggers around 20% to 30% of audit fees, although older policies may use higher settings.

The better modern policies are more than fee-cap documents. They require an independence assessment, refer to APES 110, consider the aggregate effect of multiple services, require reporting to the audit committee and deal expressly with services that could create self-review, advocacy or management-responsibility threats.

A practical governance standard

Boards and audit committees should consider reviewing NAS policies now. A contemporary policy should include at least the following features:

1. A positive approval rule: NAS is prohibited unless expressly approved under the policy.

2. A prohibited-services schedule aligned to APES 110, including bookkeeping, preparation of financial statements, valuation services, internal audit, financial systems design or implementation, management functions, significant tax structuring, advocacy, legal services, senior executive recruitment, broker/dealer or underwriting work, and any work creating a self-review threat for a public interest entity audit client.

3. Coverage of the whole group, including controlled entities, foreign subsidiaries, the auditor’s network firms and related assurance engagements.

4. Tiered approvals, with low-value and low-risk services capable of expedited approval, but sensitive services, sustainability-related advisory work, technology/cyber work, tax structuring, transaction work and higher-value work requiring audit committee or committee chair approval.

5. Aggregate annual monitoring, with hard caps or escalation thresholds. Many companies should consider a conservative annual cap or review trigger in the range of 20% to 30% of audit fees, with lower internal reporting triggers and exceptions requiring clear audit committee justification.

6. A “why this auditor?” test requiring management to document why the audit firm is the preferred provider, what alternatives were considered, and why the engagement will not impair independence.

7. A real-time NAS register, half-year and full-year reporting to the audit committee, and reconciliation to the financial statements and directors’ report disclosures.

8. Specific requirements for confidentiality, information barriers, tender conflicts, data access, breach notification and whistleblower escalation within the audit firm.

9. An annual look-back considering whether the approved NAS changed the audit plan, affected audit scepticism, created additional disclosure requirements or should influence future tendering or auditor rotation decisions.

Is this just a few bad actors?

It would be too easy to treat the issue as merely a few bad actors. Individual misconduct matters and should be addressed directly. But governance systems exist because good outcomes should not depend solely on the personal restraint of individuals operating inside revenue-driven organisations.

A well-designed NAS policy does not assume bad faith. It recognises human incentives, commercial pressure, information asymmetry and reputational risk. It gives management, the auditor and the audit committee a disciplined framework for saying “yes”, “no” or “not with this provider”.

The right conclusion is not that companies must never use their audit firm for any other service. The right conclusion is that any such engagement should be exceptional enough to be justified, controlled enough to be safe, transparent enough to be understood, and documented enough to withstand scrutiny after the event.

Governance in Action Pty Ltd can assist clients with the development and review of policies on the supply of non-audit services.

David Cantrick-Brooks FGIA FCG, Principal and Director of Governance in Action Pty Ltd, can assist with enquiries. Please feel free to reach out via LinkedIn or via gia.net.au.

AI-assisted tools and techniques were used here to support the research, drafting and editing of this publication. Responsibility for the final content rests with David Cantrick-Brooks.

Whilst accounting and legal terms and references may be contained in this publication, it does not constitute or purport to be or represent accounting or legal advice of any kind - whatsoever. Readers should seek their own professional advice.