Maintain independence and manage risk on

engagements
Course features
Course objectives
At the end of this course, you will be able to achieve the following objectives:
• Recognize appropriate ways to maintain independence on engagements that
involve technology offerings, services and business relationships.
• Identify applicable laws and regulations to maintain independence on
engagements.
• Apply PwC's policies to maintain independence on engagements.
• Recognize your responsibility to manage risk on your engagements.
• Identify risk considerations during engagement start up activities.
• Apply appropriate quality or risk management policies and protocols to a
given situation.

Course completion
You will need to:
• Complete all modules to unlock the final assessment.
• Select the link on the last page of the course to access the final assessment.
Then pass the final assessment with a minimum score of 75% to receive
completion for the course.
• It is recommended that you take a screenshot of your successful passing of the
final assessment as proof of completion.

Navigation
• You can navigate through this course by selecting the hamburger icon at the top
of the screen and selecting each module in the sidebar.
• Each module contains media. Follow on-screen directions and scroll up or down
to advance or back out of screens within a module.
• Scroll down on each screen to ensure all screen content has been viewed.
• All interactions in the course must be selected in order to advance.
• Links within the course displayed in bold with an underline will launch
when selected.
• Knowledge checks allow unlimited attempts.
• Select the hamburger icon at the top of the screen to access the menu.
• Select the X at the top of the screen to exit the course at any time.
• Note that this course is multi-device enabled. If viewing on desktop, actions will
be clickable; if viewing on tablet or phone, actions will need to be tapped.
 • If you experience any technical difficulties, please contact PwC Help at 1-877
PwC Help (1-877-792-4357).

Glossary, resources and index

The glossary provides definitions of terms used in the course. Any terms defined in the
glossary will be indicated in orange. The resources provide links to additional
information referenced in the course. The index is a full transcript of all audio, video,
and text in the course. All can be accessed in the Glossary, resources and index in the
left hand menu.

Audio/video
• This course uses video and audio. Make sure your volume is set to a comfortable
level and that your speakers or headset are on.
• Select the Play button on the media player to listen to the audio.
• Select the Play button to launch each video.

Technical support
• Ensure connection to VPN and Internet while taking this course on
mobile devices.
• If you experience technical difficulties, please contact PwC Help at 1-877-PwC
Help (1-877-792-4357).
• If you receive an Adobe/Flash upgrade request, please do not accept it (select
No) and you should be able to proceed with the course.

CPE
CPE will be awarded upon successfully completing this course and passing the final
assessment.

Course welcome
In this course, which is eligible for CPE, you’ll learn about your responsibility to maintain
independence and manage risk on your engagements.

Please note: This year's training introduces content that may be new or unfamiliar to
some learners; as a result, a test-out option is not being offered.

Managing risk on engagements and maintaining independence when working with

clients or third parties is foundational to protecting our brand and reputation. How we
approach client and engagement matters helps mitigate exposure to business,
regulatory, legal and ethical risks. Complying with applicable standards and policies
enables us to deliver quality and meet the expectations of our clients, as well as fulfill
the responsibilities required of us by our regulators and other stakeholders.

Module 1: Maintain independence with services and

business relationships

As PwC professionals, we work in a regulated environment and, as such, we have to be

mindful of our responsibility to maintain independence in all that we do.
By the end of this module, you should be able to:
• Define key concepts and independence considerations specific to technology
offerings and professional services.
• Recognize your responsibility to maintain the firm's independence related to
services and business relationships.
• Identify independence considerations as you work with both unrestricted and
restricted entities.
• Apply appropriate independence policies and protocols to a given situation.

Maintain engagement independence

The nature of our work is continuously evolving, especially with the advancements in
technology and the evolution of business interactions among and between our clients
and PwC. Maintaining independence is critical when working with restricted entities, but
we also need to think about our work with unrestricted entities in certain situations as
well.

In this module, you’ll learn about:

• Assisting unrestricted clients with the design and/or development of an

unrestricted client’s commercial technology offering
• Independence considerations when providing consulting services to an
unrestricted entity, and whether: 1) these engagements create a joint business
relationship (JBR) with the unrestricted entity and 2) PwC’s independence rules
extend to the unrestricted entity’s Third Parties
• Topics that reinforce your knowledge of key independence considerations
throughout a non-audit service engagement with a restricted entity, including:
o determining the client’s restriction status
o determining the proposed scope of services
o evaluating permissibility of non-audit services
o delineating responsibilities of the client vs. PwC
o leading practices of both non-audit service engagement and audit
engagement partners/team members when managing scope and the
execution of deliverables

First, let’s review the concepts related to working with unrestricted entities and the
independence implications that arise in certain situations.

Introduction to commercialization and direct benefit

The current digital transformation era is impacting businesses globally and, now more
than ever, companies need the requisite skills and technologies to keep up with
customer and other stakeholder demands. At PwC, we’re engaging with clients in
various ways to meet these demands.

Two important ways we’re serving our clients in this area include:

1. Assisting clients in developing their own technology offerings, such as software

products, platforms or applications intended for commercialization
2. Providing PwC technology/service offerings to clients where other third parties have
the ability to use/interact with the PwC technology/service offerings and receive
a direct benefit

Commercialization
Commercialization, for purposes of this training, is referred to as our client
selling/making available in the marketplace a technology offering that PwC has assisted
them to design and/or develop.

PwC technology/service offering

A PwC technology/service offering is the term used when PwC contracts with a client to
provide professional services or license technology offerings under a traditional
engagement letter or license agreement, respectively.

Typically, these engagements are performed for unrestricted entities due to

independence considerations. However, it’s particularly important for Consulting
Solutions engagement teams to understand that, depending on the nature of services
they’re providing and the scope of the arrangement, there may be broader
independence considerations beyond the client that engages us – even if the client is
unrestricted. The independence considerations may extend to that client’s end user
clients/customers and/or unrelated third parties (collectively referred to as Third Parties
throughout this module).

One thing to keep in mind is that independence considerations can be complex, and the
specific facts and circumstances will dictate the independence guidance that should be
followed. To initiate this evaluation, questions have been added to the Engagement
Acceptance Form (EAF) as part of the firm’s Engagement Acceptance/Continuance
process. This allows Consulting Solutions engagement teams to evaluate whether their
client engagements may extend independence considerations to Third Parties when
either assisting clients with the design and/or development of a commercial technology
offering and/or the client’s Third Parties receive a direct benefit from a PwC
technology/service offering. It’s important to remember that engagement teams are not
alone and when additional guidance is needed, they can discuss with the OFRO
Independence Office.
Assisting clients with the design and/or development of a commercial
technology offering
As Consulting Solutions engagement teams work with clients in connection with the
design and/or development (design/development) of technology offerings that will be
commercialized by their clients, the services may range from engagement teams
providing high-level advice/recommendations, to engagement teams actually performing
the design/development of the clients’ technology offerings.
Due to the mutuality of interest and/or JBR concerns with PwC assisting an SEC
restricted entity with the design/development of a technology offering that will be made
available in the marketplace, these engagements should be limited to clients that are
unrestricted (C2), AICPA restricted, or GIP restricted. Engagements with AICPA or GIP
restricted entities will be subject to an independence permissibility analysis, in addition
to the broader independence considerations with the client’s Third Parties.
When we’re designing/developing a client’s technology offering, a JBR may be created;
therefore, Consulting Solutions engagement teams should be aware that a JBR can be
created in both the design/development phase as well as the commercialization stage
depending on how the consulting engagement or arrangement with the client is scoped.
Engagement teams should discuss with the OFRO Independence Office when
designing or developing a client’s technology offering — where the client has the right to
commercialize the technology offering — to determine whether a formal consultation
is required.
Helpful link: Assisting PwC clients with the design and/or development of commercial
technology offerings (USIP 6000.419).

Independence considerations when providing consulting services

related to the design/development of a client’s commercialized
technology offering
When seeking to engage with a client to assist in the design/development of a
technology offering that will be commercialized by the client, the engagement team
should understand that a JBR may be created and depending on the facts and
circumstances, PwC’s independence rules may extend to the client’s Third Parties.
Key independence considerations that need to be assessed:
The nature of PwC’s involvement in the design/development of the commercialized
technology offering
 • A JBR is created between PwC and the client during the design/development
phase when PwC’s involvement goes beyond the 5-Step Advisory Process or low
level activities.
• A JBR is not created between PwC and the client during the design/development
phase when PwC’s involvement is limited to the 5-Step Advisory Process and/or
low level activities.
• For more information on the 5-Step Advisory Process and low level activities,
refer to the guidance note: Assisting PwC Clients in the Design/Development of
Technology Offerings (Appendix II).
Whether the commercialized technology offering is considered a financial information
system (FIS)
It’s important to determine whether the technology offering is considered a FIS from an
independence perspective because the technology offering could be licensed or made
available to an entity under audit or any of its affiliates where there may be a
self-review threat.
If... Then...
In situations where the client’s • A JBR is not created between PwC and the
commercialized technology client during the design/development phase if
offering is considered a FIS: the consulting engagement is limited to the 5-
Step Advisory Process and/or low
level activities.
• A JBR is created between PwC and the client
during the design/development phase if the
consulting engagement is scoped beyond the 5-
Step Advisory Process or low level activities.
o However, because the technology
offering is considered a FIS, PwC’s
independence rules would extend to the
client’s Third Parties, regardless of
whether the JBR extends to the
commercialization phase – due to
the self-review threat; therefore,
Consulting Solutions engagement teams
are limited to providing services under the
5-Step Advisory Process and/or low level
activities.
In situations where the client’s • A JBR is not created between PwC and the
commercialized technology client during the design/development phase if
offering is considered a the consulting engagement is limited to the
non-FIS: 5-Step Advisory Process and/or low
level activities.
• A JBR is created between PwC and the client in
the design/development phase if the consulting
engagement is scoped beyond the 5-Step
Advisory Process or low level activities. In this
instance, the JBR could be terminated at the
end of this design/development phase provided
that PwC doesn't have ongoing involvement in
the commercialized offering that would extend
the JBR.
o If PwC has ongoing involvement in the
commercialized technology offering that
would extend the JBR to the
commercialization phase, PwC’s
independence rules would extend to the
client’s Third Parties – therefore, the
Third Parties would be considered PwC
clients from an independence perspective
and subject to PwC’s
independence rules.

Helpful link: Assisting PwC clients with the design and/or development of commercial
technology offerings (USIP 6000.419).

JBR extension to the commercialization phase and PwC’s

ongoing involvement
In addition to consideration of whether a JBR is created during the
design/development phase, engagement teams will need to consider whether the
JBR extends through to the commercialization phase.

When a JBR is created during the design/development phase for a non-FIS

technology offering, the JBR would extend to the commercialization phase, and
therefore PwC’s independence rules apply to all sales of the technology offering, if PwC
were to have ongoing involvement.
Ongoing involvement that would extend the JBR to the commercialization phase
includes, but is not limited to, the following:
 • Benefiting financially from future sales of the client’s technology offering
• Retaining any rights to intellectual property (IP)
• Having liability with respect to future sales of the technology offering
• Being involved in promotion/marketing/advertising of the technology offering by
PwC or having PwC’s logo or brand used
• Being an exclusive/preferred implementer of the client’s technology offering
o PwC may be included on a list of potential implementers of the client’s
technology offering without any preference or mention of PwC’s
involvement in the design/development of the client’s technology offering.
Remember: When a JBR is created between PwC and the client during the
design/development phase of a technology offering that is a FIS, PwC’s independence
rules would then extend to the client’s Third Parties, regardless of whether the JBR
extends to the commercialization phase – due to the self-review threat, therefore,
Consulting Solutions engagement teams are limited to providing services under the 5-
Step Advisory Process and/or low level activities.

Review key concept of direct benefit

PwC may contract with an unrestricted entity to provide professional services or
license technology offerings under a traditional engagement letter or license
agreement, respectively, for the client’s own internal use and consumption.
However, there may be situations in which the PwC’s technology/service offering
is not considered solely for internal use by the client and a client’s Third Parties
also receive a direct benefit from a PwC technology/service offering.
Why is this important?
A JBR exists between PwC and the client when the client’s Third Parties receive a
direct benefit from a PwC technology/service offering.
• Because of this, the JBR with the client must be permissible and the client’s Third
Parties will be considered PwC clients from an independence perspective, and
therefore PwC’s independence rules will extend to the Third Parties.
What should engagement teams do?
If Third Parties have the ability to use/interact with a PwC technology/service offering, the
determination as to whether the PwC technology/service offering is for the client's internal
use or whether the Third Parties receive a direct benefit can be complex and is an
evolving area. Criteria for determining whether the PwC technology/service offering is for
the client's internal use is forthcoming -- until then, it’s best to discuss with the OFRO
Independence Office.
Summary
Independence considerations when:
• assisting a client in the development of a technology offering for
commercialization; or
• a PwC technology/service offering creates a direct benefit to the client’s Third
Parties

Know the independence implications when the arrangement with a

client creates a JBR and the independence rules extend to the client's
Third Parties
If it’s concluded that an arrangement with a client creates a JBR and the
independence rules extend to the client's Third Parties, the independence
considerations are as follows:
A JBR is created between PwC and the client which will need to be assessed for
permissibility and approved through the firm’s standard JBR approval process.
The Third Parties must be recorded in the firm’s systems (i.e., as a Salesforce
opportunity).
The PwC independence rules will apply to the Third Parties.
• If the third parties are restricted entities, the overall technology/service offering
will need to be assessed for permissibility and if permissible, appropriate
approvals will be needed, including AFS and, where applicable, audit committee
pre-approval.
Helpful link: JBR acceptance and approval process.
In all our interactions, from evaluating an opportunity through executing the work, we
consider how to remain independent of our audit clients, including affiliates.
Now, we’re going to switch gears and review independence considerations when
delivering non-audit services to audit clients for both the non-audit service and audit
engagement teams.

Evaluating opportunities
Determine the client’s restriction status
Prior to preparing a proposal, one of the first things non-audit service
engagement teams need to do is determine the permissibility of the proposed
services based on the client’s restriction status and type – if the client is a
restricted entity, the applicable independence rules must be followed.
How do we define a “restricted entity”?
A restricted entity includes the entity under audit and its affiliates. Certain other entities,
such as beneficial owners with significant influence (BOSIs), are also restricted for
lending and/or business relationships.
What is a restriction type?
Restriction type (SEC, AICPA, GIP, etc.) is based on the assurance deliverables
associated with the audit/attest engagement, which is important because independence
requirements vary depending on the type of restriction. The applicable independence
rules will dictate the types of services and relationships that may be permissible or
impermissible.
For affiliates of an audit client that are “not subject to audit”, are service
prohibitions the same as those applicable to the entity under audit?
For affiliates “not subject to audit”, the service prohibitions related to a self-review threat
generally do not apply. Other service prohibitions such as management
responsibilities/management functions are the same as the entity under audit and
affiliates subject to audit.
How do I find out about a client’s restriction status or type?
Central Entity Service (CES) will indicate whether an entity has a financial interest
restriction, scope of service restriction and/or business relationship restriction, and
information specific to the restriction type.
What happens if a client's restriction status or restriction type changes?
• Because a change in client’s restriction status can impact the permissibility of
any proposed services, it’s always best to double check the restriction status in
CES, even when you think you know it.
 • As a reminder, changes or events at an audit client that result in the application
of more restrictive independence requirements would necessitate the
performance of an independence assessment.
Helpful links: OFRO Independence Office and Independence assessments guidance.
Meet Tatiana
Tatiana works in the Consulting Solutions – Cyber, Risk & Regulatory practice. Her
partner would like to propose consulting services to Client Y, but they’re unsure if the
client is a restricted or unrestricted entity.

Knowledge check #1
Which resource should Tatiana use to check her client’s restriction status?
A. Central Entity Service (CES)
B. Authorization for Services (AFS)
C. Statements of Permitted Services (SOPS)
D. US Independence Policy (USIP)

Determining the proposed scope of services

From a business perspective, properly scoping and executing engagements is
important regardless of the client’s restriction status; however, when working
with a restricted entity, it’s additionally important to scope the work properly to
minimize the risk of an independence violation arising from impermissible
services, which can lead to serious consequences for both PwC and the
audit client.
For non-audit service engagement teams that intend to propose services to a restricted
entity, it’s required that they have a discussion, prior to pursuing the service, with the
Independence Responsible Partner (IRP) to determine any independence issues. In
certain situations, the discussion might be met through the AFS process. Note: In most
cases, the IRP is the same as the audit partner.
It’s also important to select the correct service entity in Salesforce in order to have the
correct restriction information, therefore enabling the AFS to be assessed properly.
When the correct entity isn’t selected, potential delays to the AFS approval process and
the contract review process may occur.
Separately, certain non-audit services may be considered permissible from an
independence perspective, however, risk management policy sets forth that
these permissible non-audit services are no longer being delivered to SEC-issuer
audit clients.
Engagement teams can seek independence guidance on defining the scope of a
potential opportunity and scope documents (e.g., draft proposals, draft engagement
contracts) for a restricted entity by contacting ASSIST or initiating a consultation with
the OFRO Independence Office.

Voluntary changes in an audit client’s restriction status (i.e.,

restricted to unrestricted)
There might be situations in which PwC and/or a restricted entity would like to explore a
change in the nature of the relationship, such that the restricted entity would become an
unrestricted entity. In the event that circumstances arise whereby PwC and/or an audit
client would like to explore the possibility of the restricted entity becoming an
unrestricted entity in order to enter into a service or relationship that would not
otherwise be permitted, engagement teams should first refer to USIP 4110.3 — this is
important because the policy contains guidance for who in the firm should be contacted
to discuss exploring the possibility of a restricted entity becoming unrestricted.

Engagement startup
Evaluating permissibility of non-audit services
When evaluating the permissibility of non-audit services, the applicable
independence rules must be followed depending on the client’s restriction status
and the nature of the services.

Performing these steps is critical for PwC to maintain independence with respect to
restricted entities and avoids potential violations:
Understanding the services and deliverables
The nature and scope of the proposed services, along with the client’s restriction status,
will determine if the scope and deliverables are permissible for the client.
Understanding how the engagement will be executed
When providing non-audit services, engagement teams confirm that all services are
executed in accordance with the permissible scope (e.g., determining adequate
involvement of client management, avoiding changes to the agreed upon scope of
work, etc.).
Understanding the Authorization for Services (AFS) process
Non-audit service engagement teams need to obtain an approved Authorization for
Services (AFS) (including Extended SEC AFS Procedures (E-AFS), if required) before
being engaged to provide services to a restricted entity. The AFS process facilitates the
review and approval of non-audit services by the IRP and, if required, an Independence
Specialist from the AFS Review Team.
 • As part of the AFS process, the non-audit service engagement team is
responsible for evaluating the permissibility of the proposed services by referring
to the applicable guidance in USIP 7000.
• Once the AFS has been prepared and the draft engagement contract is attached,
the non-audit service engagement team will submit it to the IRP and, where
applicable, an Independence Specialist from the AFS Review Team for their
approval. The IRP is responsible for assessing permissibility of the services and,
where required, the audit partner is responsible for obtaining audit committee
pre-approval.
• AFS approval must be obtained prior to being engaged to provide services to the
client.
• Recurring services, including licensing renewals, require an AFS annually:
o Where a service is, is expected to be, or becomes a multi-year contract
with recurring services, the initial AFS authorization for such services is
valid for a period of 12 months from the date of final approvals of the
initial AFS.
o Subsequent AFS authorizations should then be obtained on an annual
basis for the services to be provided in the succeeding year under such
multi-year contracts.
Helpful link: Working with: restricted entities.

Roles and responsibilities when evaluating the permissibility of non-

audit services
It’s important that non-audit service engagement teams understand their
responsibilities when evaluating the permissibility of non-audit services.
• Consider technology needs throughout the lifecycle of the engagement —
specifically consider the independence implications of using such technology
when delivering services to both restricted and unrestricted entities
• Scope the services properly and provide a thorough permissibility analysis in the
AFS request with appropriate references to USIP and SOPS
• Clearly define the activities and deliverables, and delineate the client’s role from
PwC’s role at the activity level
Remember: Reach out to ASSIST for independence guidance on defining the scope of
a potential opportunity or initiate a consultation with the OFRO Independence Office.
The audit engagement team plays an active role when it comes to evaluating the
permissibility of non-audit services.
For IRPs and any audit engagement team members involved in reviewing the scope of
non-audit services as part of the AFS process:
Consider all the relevant independence guidance and do your own research to assess
permissibility. If additional assistance is needed in evaluating the permissibility of the
services, initiate a consultation with the OFRO Independence Office.
Consider and document any cumulative threat (refer to USIP 7200.1 for more
information) that the audit engagement team has reason to believe is created by other
non-audit services.
Obtain timely audit committee pre-approval and follow any incremental requirements
(i.e., PCAOB Rule 3524 or 3525 communications) prior to approving the AFS.
Incremental pre-approval requirements must be met in connection with seeking baseline
pre-approval.
Important: When an audit committee utilizes a pre-approval framework to pre-approve
services, teams are required to inform the audit committee, at least on an annual basis,
of each service performed or engaged for, under the framework.
Helpful links: SEC Audit Committee Pre-Approval Framework Practice Aid and USIP
4100 Audit committee pre-approval.

The importance of delineating the responsibilities of the client vs.

PwC on your engagements
Under SEC and AICPA rules, PwC is prohibited from performing management
functions or management responsibilities, respectively. The SEC rules are more
restrictive, such as prohibiting acting temporarily or permanently as an employee of an
SEC-restricted entity. Because we are prohibited from performing management
functions or management responsibilities, delineating the responsibilities of the client vs.
PwC in the development of deliverables is critical. One way we do this is to confirm that
there will be active involvement by client management in performing all management
functions or responsibilities and making all decisions such that PwC would not be (or be
perceived as being) a part of client management or its processes.
Where permissible, using the 5-Step and 7-Step Advisory Processes helps non-audit
service engagement teams scope and execute non-audit services in a way that
maintains our independence and minimizes the risk of PwC performing a prohibited
management function or responsibility.
While both Advisory Processes require active involvement by client management in
providing input and making and owning all decisions, the key differences between the 5-
Step and 7-Step Advisory Processes are (1) the level of PwC's advice during the client's
decision making process and (2) in how "hands on" PwC can be in the creation of
outputs or deliverables (e.g., the client's system design, the client's project plan, or the
client's test scripts).
Important note: It’s best if proposals, Statements of Work and engagement letters
reflect the delineation of the client’s role from PwC’s role.
Helpful links: Refer to 5-Step and 7-Step Advisory Processes for more detailed
information on when to apply these processes or consult with the OFRO
Independence Office.
Meet Dhruv
Dhruv is a non-audit service engagement team member whose team has initiated an
AFS request for services they’d like to provide to an SEC-restricted entity. The team
met with the IRP to discuss the opportunity and have provided a thorough permissibility
analysis in the AFS request. The team feels confident the proposed services will be
approved, and the client is anxious to kick off the engagement.

Knowledge check #2
Which statement accurately reflects when the non-audit service engagement team can
be engaged, and then start fieldwork?
A. Once the non-audit service engagement team has discussed the permissibility of
the services with the IRP and the AFS is likely to be approved.
B. Once audit committee pre-approval has been obtained by the IRP, even if they
haven’t received notification that the AFS has been approved in the system.
C. Once audit committee pre-approval requirements have been met and the AFS
has been approved in the system.
D. Once any questions regarding the permissibility of the services are resolved by
an Independence Specialist from the AFS Review Team.

Sequencing of key activities

Following the proper sequence of activities during engagement startup is one of
the most important ways engagement teams confirm that all independence
requirements have been met before client work begins.
Remember, the engagement letter can’t be signed, or fieldwork begun, until audit
committee pre-approval is obtained (if needed) and the AFS has been approved,
including completion of the E-AFS, where applicable. Sequencing issues are a frequent
inspection finding and lead to violations that can result in consequences under the One
Firm Accountability Framework.

Engagement execution
Leading practices for non-audit service and audit engagement partners/teams
Both non-audit service engagement team and audit engagement team members
should be aware of how scope changes and the execution of deliverables can
have an impact on the firm’s independence.
Non-audit service engagement partner/team:
• Prior to finalizing the draft scope with the client, review with the client their
responsibility to make all management decisions and take ownership of
project outcomes
• During engagement kick off, review the approved scope of services with the
project/service delivery team and share the signed engagement letter approved
through the AFS
• Make all team members aware of delineation of roles and responsibilities
• Confirm each team member understands risks associated with scope
creep including:
o how it could arise from the client
o what the escalation procedures should be if such requests are made by
the client and
o how even minor changes to scope can impact permissibility of services
• If services not contemplated in the original AFS are proposed or if there is a
substantive change in the scope of pre-approved services, the non-audit service
engagement team needs to evaluate the permissibility of the work and, if
permissible, create a new AFS. The new AFS must be approved (including
obtaining any required audit committee pre-approval) before work can begin.
• Consider developing a schedule to include the audit engagement team’s review
of draft deliverables, allowing for sufficient time to review and comment before
submitting to the client
Note: The non-audit service engagement leader is responsible for monitoring the scope
of the service such that it does not extend beyond that initially authorized or
communicated as part of the AFS or audit committee approval, as applicable.
Audit engagement partner/team:
• Meet with the non-audit services engagement team to emphasize the need to
execute according to the approved engagement letter
• Check in regularly with the non-audit services engagement team to understand
any requests from the client to perform activities beyond the approved scope; ask
the non-audit services engagement team to describe how they’re working with
the client to create deliverables as approved in the AFS
 • Work with the non-audit engagement partner/team to understand the deliverable
timeline (i.e., for review of draft deliverables or comparison of deliverables to
those agreed upon in the engagement letter)
Note: The IRP is responsible for reviewing and approving an incremental AFS and the
audit partner is responsible for seeking additional pre-approval (as required) if services
not contemplated in the original pre-approval requests and AFS are proposed, or if
there’s a substantive change in the scope of pre-approved services. Remember, this
must happen before work can begin.
Recognize the firm resources available to assist you in maintaining independence
with services and business relationships
At PwC, we don’t go it alone.
As a PwC professional, it’s your responsibility to be knowledgeable of the firm’s
independence policies to maintain independence on engagements and with
business relationships.
Refer to the OFRO Independence Office site or use the ‘Contact us’ page to locate a
specialist who can help.

Key takeaways
Remember:
• Be aware of independence considerations when assisting clients with the design
and/or development of an unrestricted client’s commercial technology offering.
• Understand the independence considerations when providing consulting services
to an unrestricted entity, and whether: 1) these engagements create a JBR with
the unrestricted entity and 2) PwC’s independence rules extend to the
unrestricted entity’s Third Parties.
• It’s everyone’s shared responsibility to help maintain independence on
engagements with restricted entities and when dealing with potential business
relationships.
• If proposing services to a restricted entity, understand the client’s restriction
status and applicable independence rules so you can scope and execute the
services appropriately.
• Be aware of changes with your client that may result in a change in restriction
status and take appropriate actions if needed.
• Follow the appropriate sequencing of key activities during engagement startup.

Module 2: Manage risk

At PwC, successful engagements require the appropriate
management of risk.
By the end of this module, you should be able to:
• Recognize the impact of addressing client and engagement risks on the quality of
your engagements.
• Identify key considerations for evaluating opportunities.
• Identify start up activities that help mitigate risk on engagements.
• Use quality and risk management policies to execute engagements.
• Apply policies and protocols relating to technology assets.

Enhance quality on your engagements by addressing client and

engagement risks
Our approach
Our engagement startup procedures exist to safeguard PwC’s brand and reputation by
balancing risks with our business objectives. It’s the responsibility of each partner and
staff member to adhere to our risk management and independence policies, particularly
as the firm continues to see growth in new areas, such as managed services and
artificial intelligence (AI). Through consistent engagement management and execution,
we foster strong relationships and build trust with our clients.
How you can get help
You can find our risk management policies on the One Firm Risk Organization (OFRO)
website, with additional policies applicable to assurance engagements included in the
PwC Audit Guides on Viewpoint. The OFRO Risk Assessment Facilitation Team (RAFT)
is a group of firm specialists, aligned by service offering, that are available to assist
teams in assessing and managing the risks of client service delivery.

ACs are expected to follow the quality and risk management processes prescribed by
their respective business segments:

• Consulting ACs: refer to the Risk Governance dashboard in Project Management

Quality Automation (PMQA); for assistance, locate your process quality analyst
on the AC My Quality portal.

• Tax ACs: refer to the Tax AC Quality portal for information and guidance; for
assistance, reach out to your local AC quality contacts.

• Assurance ACs: refer to the Assurance AC Quality Portal for additional

information; for assistance and/or further information on local policies or
guidance, reach out to your local AC Quality contacts.

Helpful links: OFRO website and OFRO policies.

Meet Max
Max is a global transfer from another PwC territory and is getting up to speed on US
policies. He has just been asked to join an engagement kicking off next month for
Client X.
He knows he needs to complete several risk management activities as part of the
engagement startup process, but he’s not sure what to do first.

Which activity should Max complete first?

 A. Evaluate the opportunity from a business perspective and manage the
opportunity in Salesforce.
B. Draft the contract and send it over to the client for their review.

Not only should opportunities be evaluated by the business and managed in Salesforce
but teams should also check the restriction status of the client in CES.

To understand independence implications, if any, restriction status must be considered

as part of assessing whether PwC can perform the services.

Evaluating opportunities
As we evaluate opportunities, here are some additional considerations to address
before preparing and delivering a proposal:
Evaluate technology needs to be used by the engagement team during delivery or to be
provided to the client. In some instances, guidance from Independence Matters for
Technology Offerings or Products & Technology may be needed.
Obtain approvals for working with third parties – the OFRO JBR team can help with
approvals for working with a third party.
Perform a Relationship Check when evaluating new clients or a target client when the
opportunity involves a transaction.
If traveling outside of home territories, engage Cross Border Engagement Services
(CBES) to identify and manage risks from cross-border activities.
Be aware of bankruptcy situations – reach out to the OFRO Bankruptcy Consultation &
Facilitation Team (BC&FT).
For additional information on all pursuit, proposal and Client Experience guides and
templates, visit the Client Experience Launchpad.
Choosing the correct entity in Salesforce impacts the engagement startup
process, including data in the Rapid Engage tool

It’s important to confirm that you’re entering opportunities under the correct entities in
Salesforce. Selecting the correct entity name, whether parent or subsidiary, has a direct
downstream impact on the engagement startup process.

Once your opportunity moves to or past the “Interact” stage in Salesforce, it will appear
on the Rapid Engage landing page – therefore it’s critical to include accurate
information in Salesforce to confirm Rapid Engage provides you with the proper steps
for completing engagement startup.

Remember: Rapid Engage helps you with auto-initiating the proper forms (e.g., EAF
and/or AFS) and pre-populating some required fields based on the information you
provide in Salesforce. The automation of the tool helps you understand and navigate
the key activities needed to successfully onboard a new engagement.
Helpful links: Rapid Engage and OFRO Systems & Applications.
Engagement startup activities
Max and his engagement team have evaluated the opportunity, entered the opportunity
into Salesforce and determined the client is an unrestricted entity.
The next step is for the team to complete the Client Acceptance process to confirm the
client is acceptable by firm standards.
The Client Acceptance process is a risk assessment of all new or unaccepted clients
and their key management team members.
The Adverse Data Search (ADS) looks at the background of the client and its
management, to help us evaluate negative material that should be considered to
understand the reputation and association risks with the prospective client.
• Clients with no adverse data identified are marked as “Accepted” and no
additional client acceptance procedures are required.
• Clients with adverse findings are escalated for engagement leader review; or,
• Clients with serious adverse findings are escalated for OFRO consultation and
remain in ‘client declined’ status pending consultation
Remember: A client must be a current accepted client of the firm before we can accept
an engagement and perform work.
After receiving the results and determining the ADS identified no adverse data for their
client, Max and his engagement team are excited to begin work for their client.
Has the team completed all the necessary activities to begin work for the client?
1. Yes
2. No
Through the Engagement Acceptance process, engagement teams should work
together with their engagement leader to identify and mitigate potential risks associated
with the work to be performed at the engagement level for the following:
• Any new engagement – including no-fee engagements
• Any change of scope with services that are distinct and different from the original
work, therefore potentially changing the risk profile
• Any recurring engagements where the client has or may become a
restricted entity
Engagement Acceptance must be completed and approved before signing the
engagement contract or starting work.
Remember: If the client is a restricted entity, an Authorization for Services (AFS) is
required, and in some cases audit committee pre-approval is also required.

Contracting
After Max and his team prepare the Engagement Acceptance Form (EAF), their
engagement leader is responsible for confirming the team’s responses, approving the
form and obtaining any additional approvals, where required. Once the EAF is
approved, Max’s team should create the engagement contract and work with the client
to finalize and execute it.

Adhering to PwC’s contracting processes and policies is one of the most important ways
we can mitigate risk to the firm. In addition, a well-written contract enables us to confirm
we have a “meeting of the minds” with our clients regarding key topics like the scope of
services, responsibilities, fees, risk allocation and dispute resolution framework for an
engagement. Negotiating a contract is often a significant investment of time and energy
by both PwC and the client, but a well-written contract helps to establish clear
engagement expectations and provides a roadmap for the successful delivery of our
services.
Contracting considerations to keep in mind:

• A proposal is not a contract and should not be treated as one — it’s a marketing
tool and doesn’t contain the necessary terms, conditions or details to serve as
the contract with the potential client.
• Similarly, we can’t rely on verbal agreements or emails in place of a fully
executed contract.
• A contract must be signed by a PwC partner and the client prior to beginning
work and before deliverables are created or shared with the client.
• The correct PwC contracting entity should be inserted into the contract based on
the services being performed and the PwC signing partner. New PwC contracting
entities are being utilized as of July 1, 2023. Review this site for more information
on selecting the correct PwC entity for your contract. PwC US Group LLP
shouldn’t sign any client or JBR contracts.
• Products are contracted under license agreements (not services agreements);
refer to Contracting for Products and Technology for more information.
Tools and resources available to help teams with the contracting process
The Contracting Gateway on the OFRO website helps US engagement teams quickly
identify the tools, guidance and teams that will support all engagement
contracting needs.
All engagement teams performing services in the US are required to use their
designated contracting system to generate and store engagement contracts — these
tools make drafting and storing engagement letters, Statements of Work and other
contracts simpler.
The firm is rolling out new contracting technologies in FY24. The new tools will launch
on a staggered basis starting in FY24, and business teams will receive formal
communications when it’s time to begin transitioning.
Keep an eye out for these communications to confirm you’re using the correct
contracting system for your business segment/platform.
Helpful link: Contracting Gateway.

Commercial and Risk/legal terms

A standard service engagement contract includes commercial (scope of services and
economic terms) and risk/legal terms with which engagement teams should be familiar.
Commercial Terms
Commercial terms include the scope of services and economic terms specific to
the engagement.
• The scope of services in the engagement contract covers the nature, timing and
extent of the activities to be performed during the engagement. Also included are
details of the deliverables or reports to be produced and any
assumptions/limitations applicable to the engagement.
• The economic terms include the fees, expenses and taxes to be paid by the
client; timing of payments and invoicing protocols are also among the topics
covered. Consult with the OFRO Strategic Negotiation & Pricing (SNAP) team for
support on pricing negotiation strategy.
Risk/legal terms
PwC maintains standard engagement terms and conditions with respect to risk and
legal issues. Examples include:
• Protection of each party’s confidential information
• Restrictions on the use and disclosure of PwC’s engagement deliverables
• Limitations on each party’s liability under the contract
• Each party’s indemnification obligations (e.g., PwC’s indemnification of the client
for third party intellectual property (IP) infringement claims relating to PwC’s
deliverables or the client’s indemnification of PwC for claims related to third party
reliance on PwC’s deliverables)
• Ownership of the engagement deliverables and other work product produced
by PwC
• Rules and processes governing disputes between the parties
• Law governing the contract
Remember:
• While drafting and negotiating the scope of services and economic terms is
primarily within the engagement team’s control, the Contracting Center of
Excellence (CCoE) in the US should be consulted as appropriate.
• Risk policy requires consultation with the CCoE (in the US) when clients seek to
negotiate the risk/legal terms (e.g., indemnification and limitations on liability).
While the firm respects client requests, we generally discourage revisions to our
standard risk/legal terms in order to best protect the firm and its assets.

Knowledge check #3
During contract negotiation, clients may question or propose changes to our standard
terms and conditions. How should engagement teams handle such requests from
the client?
i. Be prepared and understand the terms.
ii. Be patient and respond timely to client questions.
iii. Inform the client that we will never accept any changes to our standard terms
and conditions.
iv. Involve risk management and contracting specialists, as appropriate.

Engagement execution
Now that Max and his team have completed the contracting process, they’re ready to
begin the work for Client X.
Does risk management stop once the contract is signed?
1. Yes
2. No

Engagement team responsibilities

Engagement teams are responsible for oversight and execution of all risk management
activities on their engagements and should continue to monitor and assess risk
throughout engagement execution by:
Monitoring changes in scope, deliverables, assumptions, fees and timeline to prevent
scope creep
Implementing operational controls to assist the engagement team with adhering to the
contract (e.g., data-handling protocols)
Preparing client deliverables while considering how the deliverable will be used by
the client
• Is the deliverable attributed to PwC?
• Does the deliverable need disclaimer language?
• Should the deliverable be “branded” or “unbranded”? What’s outlined in the
contract?
Documenting work and conclusions
• Each engagement should have timely and sufficient evidence documented to
support all significant aspects of the work and conclusions
• Documentation should be properly maintained, retained and safeguarded in a
PwC-approved electronic repository
Considering incremental execution requirements for Assurance and related services
engagements included in the PwC Audit Guides (public and non-public)
Identification of troublesome practice matters and client-related issues
Troublesome Practice Matters (TPMs) may result in financial and reputational damage
to the firm and our people through unfavorable publicity, legal claims, significant
financial settlements, potential violations of professional rules or standards, potential
violations of laws and regulations, or potential regulatory enforcement actions.
A TPM is a situation in which the firm is providing a product or professional service to a
client and:
• a client, third party, or PwC person formally files a complaint or claim alleging
that the product or service is deficient in some way; or
• it's more likely than not (i.e., with a probability of 50.1% or greater) that a client,
third party, or PwC person will formally file a complaint or claim that the product
or service is deficient in some way; or
• there is an internally or externally identified instance of non-compliance with
contractual obligations, laws or regulations associated with the firm’s delivery of
the product or service (e.g., a missed tax filing for a client).
Resolution of troublesome practice matters and client-related issues
Once engagement team members become aware of a TPM, they must promptly
escalate the matter to the appropriate firm resources as outlined in Risk Policy 07 -
Troublesome Practice Matters (TPMs) and Client-related Issue Escalation. All partners
and employees are accountable for being aware of and adhering to our TPM policy,
including how to report and address TPMs appropriately. Like our other policies, there
are consequences for non-compliance.
Difficult or contentious issues that may temporarily negatively impact service delivery
and/or scope (e.g., engagement execution matters that do not meet the definition of
TPM) are not TPMs. However, all identified product or service engagement issues
should be assessed by engagement leaders and teams, and escalated to the
appropriate business leaders, the Lead Client Partner (LCP) and OFRO or Trust
Solutions Quality Management as applicable in a complete and timely manner, as
engagement “issues” could become TPMs if not managed appropriately.
While managing risk throughout engagements is important, of equal importance is
delivering quality work. Engagement teams may encounter quality reviews during their
engagements, relative to the type of service, certain criteria and the level of risk
assessed.

Engagement teams are evaluated not only on client deliverables but their adherence to
PwC’s risk and quality protocols, and execution of the protocols in the proper sequence.
All risk management activities, even those that may seem insignificant or administrative
in nature, are in scope for quality reviews – including engagement startup through
execution and the closing of documentation files.

Remember, ACs are expected to follow the quality and risk management processes
prescribed by their respective business segments.
Helpful link: Review Execution and deliverables policies for further information and
links to the PwC-approved electronic repositories.
Meet Justine
Justine just wrapped up an engagement with her client. The client contact is now
reaching out to see if PwC can assist them with a technology asset that decreases the
manual input of patient data during the patient registration process. Justine’s team has
recently been working on a technology asset that may fit this need. The tool will be used
with the client to collect patient registration data, analyze patient metrics, and provide
visualizations that the client can view. Justine anticipates deploying this technology to
additional clients across the sector in the future.

Knowledge check #4
How should Justine mitigate risks associated with this technology?
A. Validate testing and quality review of the outputs using the technology
B. Obtain leadership approval and submit a request through the territory’s process
for reviewing technology assets
C. Update the contract to include the technology asset and provide client access
D. Demo the tool to the client to make sure it will meet their needs
Understand when and how to consult on technology assets
Considerations
Mitigating risk to capture opportunities that involve the use of technology assets
involves additional considerations that are different from providing services.
Examples include:
• Protection of our intellectual property (IP)
• Needing to incorporate “flow down” commitments we make to our technology and
data vendor agreements into our client contracts
• Independence considerations specific to using PwC technology with clients and
the use of third party technology/data in the development and/or deployment of
technology assets
• Data privacy and security associated with any processing or storing of
information by the asset
• Contracting
• Collection of sales tax for product licenses or where technology is used by PwC
and the client in support of engagements and is specifically itemized in the
engagement contract
Process
Each territory has a process for developing and approving technology for use with
clients and PwC teams. It confirms business leadership alignment and support for
PwC-owned, reusable technology assets. These technologies include:
• Product solutions, which are licensed to clients for their use, including
independent of a services engagement;
• Engagement solutions, which are technology assets used by PwC teams to
support our services but are not licensed to clients, used beyond the scope of our
engagement or left behind when it is over; and
• Firmwide solutions, which support internal firmwide operations or
business processes
Once an asset has been endorsed by leadership and prioritized for review, it’s reviewed
and approved through the territory’s process to confirm the tool is developed or
enhanced to meet client and user expectations and that it aligns with PwC standards,
policies and requirements.
Prior to using any technology asset with clients, it must be approved for that specific
use, whether the use is by PwC teams or our clients or both.
There may be scenarios where third-party software is a better option. In those cases,
you will need to be sure the software was procured in compliance with the firm’s
procurement policy and the vendor agreement permits the specific use you wish to
pursue. Please understand the requirements prior to providing access or promising
anything to the client.
Helpful link: Risk Policy 12.01 - PwC Product Sales.

Additional considerations related to technology assets:

Deploying technology assets raises different considerations than just providing services
Technology assets have different review and approval requirements depending upon a
variety of factors, such as complexity, access, IP ownership, the types of data it stores
or processes, contracting, pricing, independence requirements and others. The good
news is the firm has processes to support the analysis and compliance with these
considerations. Don’t go it alone!
Citizen-led automations that are intended for PwC internal use only with no client
access aren’t subject to the previously described processes; these assets are reviewed
through the territory’s Digital Lab governance processes
As a reminder, our network member firms and Acceleration Centers (ACs) are separate
legal entities. Therefore, we cannot share our technology assets with them unless a
contract is in place
When the ACs are being leveraged to help build a technology asset, the local territory
engaging AC resources is responsible for the leadership endorsement and review
processes, unless the asset is being developed for AC use related to their own firm
processes
When in doubt, please consult!
In the US:
• For information about or how to engage the Firm’s process for technology asset
review, contact the Ready For Market team for guidance or the Products &
Technology site for more information
• For Independence related questions, visit the Independence Matters for
Technology Offerings on the OFRO website
• For general risk questions related to technology and data use, please reach out
to the OFRO Products & Technology Risk & Quality team

Recognize the firm resources available to assist you in managing risk

At PwC, we don’t go it alone.
As a PwC professional, it’s your responsibility to be knowledgeable of the firm’s risk
management policies and to lead by example within your teams regarding the
importance of managing risk and delivering quality.

Refer to the OFRO website or use our ‘Contact us’ page to locate a specialist who
can help.
ACs are expected to follow the quality and risk management processes prescribed
by their respective business segments:
• Consulting ACs: refer to the Risk Governance dashboard in Project
Management Quality Automation (PMQA); for assistance, locate your
process quality analyst on the AC My Quality portal.
• Tax ACs: refer to the Tax AC Quality portal for information and guidance; for
assistance, reach out to your local AC quality contacts.
• Assurance ACs: refer to the Assurance AC Quality Portal for additional
information; for assistance and/or further information on local policies or
guidance, reach out to your local AC Quality contacts.

Key takeaways
Remember:
• Follow the appropriate sequence of approvals and use firm-approved tools
throughout the lifecycle of your engagement – use Rapid Engage to assist you.
• Be familiar with the standard terms and conditions of our contracts.
• Consider how your team will use technology on your engagements and consult
the appropriate teams, when necessary.
• Continue to monitor risk throughout execution of the work – including changes to
the scope, applying disclaimers to deliverables (if required) and documenting
your engagements appropriately.