Services Outside the Scope of Practice of Auditors

SOX Section 201 requires you to prevent your external auditor (a registered public accounting firm) from performing certain non-audit services for your company at the same time they audit you. To operationalize it, put a pre-approval gate in front of all auditor-related work, maintain a prohibited-services list, and retain clear evidence that any permissible work was approved and kept separate from audit activities. (Public Law 107-204)

Key takeaways:

• Maintain a firm, written boundary: your audit firm cannot provide specified non-audit services contemporaneously with the audit. (Public Law 107-204)
• Implement a practical intake-and-approval workflow for any engagement involving the audit firm or its affiliates. (Public Law 107-204)
• Keep audit-ready artifacts: service descriptions, approvals, invoices, and independence representations tied to each engagement. (Public Law 107-204)

“Services outside the scope of practice of auditors” is an independence requirement: the same firm that audits your financial statements cannot also act in roles that create self-review risk, management participation risk, or conflicts during the audit period. SOX Section 201 lists categories of non-audit services that are prohibited contemporaneously with the audit, such as bookkeeping, financial information systems design, appraisal/valuation, actuarial services, internal audit outsourcing, management functions, broker-dealer services, and other services that place the auditor in an incompatible role. (Public Law 107-204)

For a Compliance Officer, CCO, or GRC lead, the fastest path to compliance is to treat this as an operational intake control, not a policy statement. Your goal is simple: every request to hire, expand, or renew work with the external audit firm must route through a defined approval step, be checked against the prohibited-services list, and be documented in a way that survives audit committee scrutiny and external inspection.

This page gives requirement-level implementation guidance you can deploy quickly: who it applies to, what to build, what evidence to keep, exam questions to expect, and common failure modes that cause independence concerns and rework.

Regulatory text

SOX Section 201 (Services Outside the Scope of Practice of Auditors) states that it is unlawful for a registered public accounting firm to provide certain non-audit services contemporaneously with the audit, including: bookkeeping, financial systems design, appraisal, actuarial, internal audit outsourcing, management functions, or broker-dealer services. (Public Law 107-204)

Operator interpretation: you must prevent your external auditor from being engaged for any of the prohibited categories during the audit period. Practically, you do this by (1) identifying the audit firm and covered affiliates, (2) screening every requested service against the prohibited list before purchase orders or SOWs are executed, and (3) documenting approvals and independence conclusions for anything permitted. (Public Law 107-204)

Plain-English interpretation (what the requirement means)

• If the firm signs your audit opinion, that same firm cannot also “do the work” in areas that would later be audited, or take on roles that look like management decisions. (Public Law 107-204)
• The restriction is about contemporaneous provision of services with the audit. Your operational program should assume the audit period spans planning through issuance, and control the entire window unless counsel/audit committee defines a narrower boundary. (Public Law 107-204)
• The list in the statute is your minimum “do-not-buy” list. Treat it as hard-stop categories for the audit firm. (Public Law 107-204)

Who it applies to (entity and operational context)

Entities

• Issuers / public companies: you are the buyer of audit and professional services and must govern engagements so independence is preserved. (Public Law 107-204)
• Registered public accounting firms: they are legally prohibited from providing the listed non-audit services contemporaneously with the audit. In practice, you still need controls because the purchasing process sits on your side. (Public Law 107-204)

Operational contexts where this shows up

• Finance leadership wants the audit firm to “help clean up” reconciliations or close processes.
• ERP/financial systems changes trigger a request for the audit firm to design or implement controls or systems.
• Transactions prompt valuation, appraisal, or actuarial analyses.
• Internal audit needs staffing and considers the external auditor as a convenient outsource option.
• HR asks the audit firm for recruiting, compensation design, or management advisory support that crosses into management functions. (Public Law 107-204)

What you actually need to do (step-by-step)

1) Define the population: who counts as “the auditor”

Create and maintain a record of:

• The engaged audit firm legal entity and brand name(s)
• Any affiliates/subsidiaries that might contract under a different name but are part of the audit firm network (track per your contract and the firm’s independence letter)
• The audit engagement period you will treat as “contemporaneous” for intake screening (document your definition and who approved it). (Public Law 107-204)

Practical tip: most independence failures start with “it wasn’t the audit team” or “it was another office.” Your control should be based on the firm relationship, not an individual partner.

2) Build a prohibited-services decision table (hard stop)

Convert the statutory list into an internal gate checklist. Minimum hard-stop categories to include:

• Bookkeeping or accounting records work
• Financial information systems design/implementation
• Appraisal/valuation services
• Actuarial services
• Internal audit outsourcing
• Management functions (including acting in a decision-making capacity)
• Broker-dealer services (Public Law 107-204)

Add internal examples under each category that match your company reality (e.g., “prepare journal entries,” “design chart of accounts,” “configure ERP financial modules,” “perform management’s control testing on behalf of management”).

3) Implement an intake workflow for any service involving the audit firm

Put a single control point in front of:

• New SOWs/MSAs
• Change orders
• Renewals
• Emergency “quick help” requests
• Statements of work routed through Procurement, Finance, Legal, Internal Audit, or business units

Minimum workflow fields

• Requesting department and business owner
• Service description in plain language
• Whether the provider is the audit firm or an affiliate
• Service start/end dates
• Whether any audit-related teams will rely on outputs
• Initial classification against the prohibited-services table
• Approver(s) and approval date (Public Law 107-204)

Approvals

• Route to the owner of auditor independence controls (often the Controller, CAE, CCO, or Audit Committee designee).
• If your governance model requires it, include Audit Committee pre-approval for permissible non-audit services; document the decision even when the answer is “no.” (Public Law 107-204)

4) Add procurement and AP “stop signs”

Controls fail when someone bypasses the intake process. Add operational blockers:

• Supplier master tagging: flag the audit firm and known affiliates.
• PO controls: require an independence approval ID before PO issuance.
• AP exception reporting: any invoice from the audit firm without an approval ID gets held for review.

5) Document independence conclusions for allowed work (if any)

SOX 201 is a prohibition on specified non-audit services contemporaneously with the audit. If you do engage the audit firm for other services you believe are permissible, treat the documentation like a mini-independence memo:

• What the service is (and is not)
• Why it does not fall into a prohibited category
• Who approved it
• How you prevented management role substitution or self-review (for example, management retains responsibility for decisions and sign-offs). (Public Law 107-204)

6) Train the requesters who create risk

Targeted training beats broad annual training. Train:

• Finance leadership and accounting managers
• Procurement intake teams
• Internal audit leadership
• IT finance systems owners
• Corporate development/FP&A teams that request valuations (Public Law 107-204)

Use scenario-based examples from your prohibited-services table. The goal is to stop requests before they become urgent.

7) Centralize evidence in a single system of record

You need an audit-ready place where you can answer: “What services did the auditor provide, when, who approved them, and why were they permissible?”

If you manage third-party engagements in Daydream, map the audit firm as a third party with an “auditor independence” flag, attach the prohibited-services checklist to the intake, and require approvals before contract execution. Keep the independence memo, approvals, and invoices attached to the engagement record so evidence retrieval is immediate.

Required evidence and artifacts to retain

Keep artifacts per engagement and in aggregate:

Program-level

• Auditor independence / non-audit services policy referencing the SOX 201 prohibited categories (Public Law 107-204)
• Prohibited-services decision table with internal examples (Public Law 107-204)
• Role-based workflow diagram and approval matrix for audit-firm services
• Training materials and completion evidence for targeted teams

Engagement-level (for each service request involving the audit firm)

• Intake form/request ticket
• Service classification outcome (prohibited vs permitted rationale)
• Approval record (including “denied” decisions)
• SOW/MSA/change order
• Independence representation letter(s) received from the audit firm, if provided in your process
• Invoices and payment approvals tied back to the approved scope (Public Law 107-204)

Common exam/audit questions and hangups

Expect auditors, audit committee members, and internal reviewers to ask:

• “Show me all payments to the external auditor and affiliates, and the approved scope for each.”
• “How do you know business units aren’t buying prohibited services outside Procurement?”
• “What is your definition of ‘contemporaneously with the audit,’ and who approved it?”
• “How do you classify borderline requests like ‘advice’ on systems design or ‘help’ with close processes?”
• “What happens when an engagement expands midstream?” (Public Law 107-204)

Hangup to plan for: requesters describing work in vague terms (“support,” “assist,” “advisory”). Your intake form must force a concrete deliverable description.

Frequent implementation mistakes (and how to avoid them)

1. Relying on policy only.
   Fix: add PO/AP gating and supplier tagging so the policy is enforced operationally.

2. Screening by partner/team instead of firm.
   Fix: treat the entire audit firm and known affiliates as covered; keep a maintained affiliate list.

3. Letting “emergency help” bypass controls.
   Fix: create an expedited approval path that still requires classification and written approval before work starts.

4. Misclassifying work due to vague scoping.
   Fix: require deliverables, dates, and who will use the output. If it touches accounting records, systems design, valuation, actuarial, internal audit outsourcing, management functions, or broker-dealer services, stop and escalate. (Public Law 107-204)

5. Weak evidence retention.
   Fix: store approvals, SOWs, and invoices together under one engagement record (a GRC/TPRM system like Daydream, or a controlled repository with consistent naming).

Enforcement context and risk implications

The immediate risk is auditor independence impairment, which can trigger audit committee escalation, restatement risk, re-audit costs, disclosure issues, and regulator attention depending on facts and materiality. SOX 201 makes the prohibited services unlawful for the audit firm to provide contemporaneously with the audit, so you should treat any potential violation as a priority incident and involve Legal and the Audit Committee quickly. (Public Law 107-204)

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Identify the external audit firm(s) and known affiliates; tag them in Procurement/AP systems.
• Publish the prohibited-services list as a one-page decision table aligned to SOX Section 201 categories. (Public Law 107-204)
• Stand up a simple intake form and require it for all new/expanded work with the audit firm.

Days 31–60 (Control hardening)

• Implement PO gating: no PO or SOW without independence approval ID.
• Add AP exception reporting for invoices from the audit firm without an approval ID.
• Train Finance, Procurement, Internal Audit, and IT finance systems owners using real scenarios. (Public Law 107-204)

Days 61–90 (Operational maturity)

• Perform a lookback review of recent payments to the audit firm to confirm each maps to an approved, permissible scope; remediate gaps.
• Add periodic reporting to the Audit Committee: engagements, approvals/denials, and exceptions.
• Move evidence management into a single system of record (for example, Daydream) so approvals, contracts, and invoices are linked and searchable.

Frequently Asked Questions

Does SOX Section 201 mean we can never buy any consulting from our external auditor?

No. The requirement prohibits specific categories of non-audit services contemporaneously with the audit. Your control should screen requested work against the prohibited categories listed in SOX Section 201 and document approvals for anything permissible. (Public Law 107-204)

What counts as “financial information systems design” in practice?

Treat system configuration, implementation design, or building financial reporting processes as high-risk and likely prohibited when performed by the audit firm. Require detailed deliverables in the intake so you can classify the work against the SOX 201 prohibited category. (Public Law 107-204)

Internal Audit wants help with testing. Can our external auditor provide staff augmentation?

SOX Section 201 lists internal audit outsourcing as a prohibited non-audit service contemporaneously with the audit. If Internal Audit needs support, source it from a different third party and document the selection rationale. (Public Law 107-204)

We already signed an SOW and now realize it might be prohibited. What should we do?

Stop work, escalate to Legal and the Audit Committee governance path, and document the facts: scope, timing, deliverables, and payments. Then decide on remediation steps and replace the provider if the service maps to a prohibited category. (Public Law 107-204)

How do we control “shadow spend” where a business unit pays the audit firm directly?

Add the audit firm to a restricted supplier list, require an approval ID on POs, and run AP exception reports for any invoice from the audit firm or affiliates without documented approval. Centralizing engagements in Daydream also helps by making intake the default path.

Do we need to retain evidence even for requests we deny?

Yes. Denial records show the control operates and help explain why prohibited services were not purchased. Keep the request, classification, and denial approval together. (Public Law 107-204)