Technology Working Group Final Phase 2 Report Executive Summary

Revise the Code, for example, in Subsection 114 Confidentiality, to clarify whether firms and organizations may use client or customer data for internal purposes, such as training AI models, and if so, the parameters of such use (prior, informed consent; anonymization). Non-authoritative guidance should be developed to specifically emphasize the expectations for complying with the fundamental principle of integrity when using client or customer data for AI training, i.e., obtaining consent that is meaningful, informed, and transparent.

Develop further guidance around the importance of transparency and explainability, whether through non- authoritative guidance or in the Code, specific to when a PA relies on or uses transformative technologies (e.g., AI). Such guidance would highlight that PAs cannot abdicate their public interest responsibility and accountability when relying on or using technology (even in highly automated environments).

This additional guidance might explicitly set out expectations for a PA when relying on a technological solution. For example, before relying on a machine learning tool, the PA would be expected to ensure that the tool is explainable (i.e., that they can reasonably understand the rationale for decisions made by the technology). The Working Group believes that the PA need not be the expert who can explain the tool, but should have access to such an expert and should obtain a reasonable understanding in order to be comfortable with the tool’s inputs, processing, and outputs.

Furthermore, consideration should be given to the ethics expectations for PAs when they are involved with developing transformative technology solutions, for example, that they are expected to promote the development of explainable systems, particularly in high-stakes applications.

Revise the Code to address the ethics implications of a PA’s custody or holding of financial or non-financial data belonging to clients, customers, or other third parties. Such a workstream could be scoped to also include considering threats to compliance with the fundamental principles given the complexity created for PAs who need to remain current with an evolving patchwork of cross- and intra-jurisdictional data privacy laws and regulations, as well as the ethics challenges related to data governance and management (including cybersecurity).

Continue raising awareness of a PA’s strategic role in data governance and management (including cybersecurity), and develop educational resources to highlight such a role.

With a view to the broader expectations for PAs to exhibit and champion ethical leadership and decision-making, develop non-authoritative guidance to emphasize the potential actions a PA might take when applying the conceptual framework and complying with the Code’s fundamental principles in technology-related scenarios relevant across various PA roles and activities.

To strengthen the concepts of transparency and accountability, add new material to the Code as part of the subsections on “communication with TCWG” in Parts 2 and 3 to encourage, or require, meaningful communication with TCWG by PAs (including individual Professional Accountants in Public Practice (PAPPs) and firms) about technology-related risks and exposures that might affect PAs’ compliance with the fundamental principles and, where applicable, independence requirements.

These concepts are not unique to technology-related risks and exposures, but rather are broadly applicable whenever there are risks and exposures that might affect PAs’ compliance with the fundamental principles and, where applicable, independence requirements (e.g., technology, tax planning, sustainability). There is an opportunity to incorporate such communications into the Code more generally in the future, so that it can be considered under all circumstances.

Develop non-authoritative guidance and/or revise the Code in paragraphs 220.7 A1 and 320.10 A1 to emphasize the importance of a PA assessing the extent to which an expert being used and relied upon behaves in alignment with the Code’s fundamental principles, and the factors to consider in making such an assessment.

Such guidance would be applicable whenever experts are used (e.g., technology, tax planning, sustainability) and goes beyond independence considerations.

Engage more actively with other bodies, such as IFAC’s International Panel on Accountancy Education (IPAE) and professional accountancy organizations (PAOs), to encourage them to arrange educational activities to raise

awareness about the characteristics of “sufficient” competence in the context of the Code and the International Education Standards (IESs). Such other bodies are better placed to develop non-authoritative guidance to illustrate and emphasize how the Code’s principles apply when determining sufficient competence.

Revise the Code, for example, within Section 270 Pressure to Breach the Fundamental Principles, to include illustrations of pressures on PAs (such as time and resourcing constraints; competence gaps; the complexity of technology, laws and regulations; the pace of change; uncertainty, etc.).

In addition, consider revising the description of the intimidation threat (paragraph 120.6 A3)) to acknowledge that objectivity is not the only fundamental principle that might be impacted by this threat. For example, feeling pressured or intimidated as a result of information overload or an exponential pace of change might threaten professional competence and due care.

Finally, advocate to PAOs and other bodies, such as IFAC’s IPAE, the development of additional non-authoritative resources to raise awareness of, and provide guidance on, how PAs can manage sustained pressures.

Given the rise in strategic and commercial relationships between accounting firms and technology and other companies, consider revising Part 3 of the Code to consider the ethics implications of business relationships, in addition to revising Section 520 Business Relationships more comprehensively to address potential threats to the fundamental principles and, where relevant, independence, in the context of broader business relationships and new forms of relationships that are emerging.

Continue initiatives to advocate the importance and relevance of Code, as well as to develop, facilitate the development of, and/or contribute to non-authoritative resources and materials. Appendix II of this report summarizes the pertinent technology-related topics that would particularly benefit from additional non-authoritative guidance to draw out potential ethics issues that might arise and how the Code applies in such scenarios.