What a Self-Review Threat Means

A self-review threat is a category of ethical risk recognised in auditing and assurance standards. It arises when an audit firm, or a member of the engagement team, must evaluate the results of a previous judgement, calculation, system design, or advisory service that the same firm provided to the client. The concern is especially important because the audit opinion is valuable only when users can trust that the auditor has approached the evidence independently.

The IESBA International Code of Ethics classifies self-review as one of the main threats to compliance with the fundamental principles of professional ethics. In the UK, the FRC Ethical Standard restricts or prohibits certain non-audit services for audit clients where the firm's prior involvement would make independent challenge difficult to sustain. That approach reflects a practical governance judgement, because some conflicts are too embedded in the structure of the engagement to be solved by review procedures alone.

How a Self-Review Threat Works

The mechanism centres on the same firm producing work and later providing assurance over whether that work is accurate, complete, or fairly presented. The difficulty is less about deliberate misconduct and more about the conditions under which professional scepticism operates. A team reviewing calculations it prepared, controls it designed, or assumptions it helped select faces a natural bias toward confirming that the original work was reasonable.

In practice, the threat is often triggered by previous involvement. A firm that assists a client with tax provisioning and then audits financial statements containing those provisions is reviewing numbers it helped create. The same logic applies when a firm designs an internal control framework and later evaluates its operating effectiveness, or when it develops an IT system whose outputs feed directly into the reports under audit. Because the prior service shapes the evidence being tested, the audit team may need to challenge decisions made by colleagues within the same commercial organisation.

The identify, assess, and mitigate framework is intended to interrupt that pattern before the engagement proceeds. Firms must consider the nature of the previous service, the materiality of the affected area, the extent of management's independent judgement, and whether any safeguard can reduce the threat to an acceptable level. Where the service has a direct and material effect on the audited financial statements, separation at firm level may be the only credible response.

Real-World Example

Consider a mid-tier firm engaged to provide corporate finance valuation services for a property company preparing its annual financial statements. The advisory team values a portfolio of investment properties at fair value under IFRS 13, using yield assumptions, market comparables, and management information. Six months later, the same firm's audit team is asked to test whether those valuations are materially correct as part of the statutory audit.

The audit partner would need to ask whether the engagement team can credibly challenge assumptions that originated within the firm itself. Even if different staff are assigned, the firm still has an interest in the advisory work being viewed as competent and defensible. Depending on the client's status, the materiality of the valuation, and the applicable ethical standard, the firm may need to decline the valuation engagement, withdraw from the audit, or arrange for the affected work to be performed by a genuinely independent firm.

Key Considerations and Limits

The self-review threat framework is most straightforward when the boundary between advisory and assurance work is visible. A firm that prepares financial statements and then audits them is clearly conflicted, and many regulatory regimes prohibit that combination for public interest entities. The assessment becomes more difficult when the prior involvement is indirect or partial, such as tax advice that affects one judgemental line item in accounts otherwise prepared by management.

In those cases, the judgement depends on materiality and on whether management genuinely exercised independent judgement over the figures. A client that understands the assumptions, challenges the analysis, and takes responsibility for the final number presents a different risk profile from one that simply accepts the firm's recommendation. Even so, engagement-level safeguards can be weaker than they appear because the deeper issue is institutional. The reviewing partner may be uninvolved in the original work, but the firm still benefits commercially and reputationally from that work being accepted as sound.

For audit committees, the practical question is whether the proposed non-audit service could later become part of the audit evidence. If it could, pre-approval should focus on the substance of the service rather than the fee alone. The UK Corporate Governance Code reinforces this discipline by placing responsibility on the board and audit committee to monitor auditor independence, including the nature and extent of non-audit services.

Self-Review Threat vs Advocacy Threat

Self-review and advocacy threats both impair auditor independence, although they pull judgement in different directions. A self-review threat arises when the firm is asked to assess its own prior work, while an advocacy threat arises when the firm promotes or defends a client's interests. The distinction matters because the safeguard must address the source of the bias, whether that source is loyalty to the firm's own output or alignment with the client's preferred outcome.

Where a self-review threat concerns the firm's relationship with its own work, an advocacy threat concerns the firm's relationship with the client's position. A firm that prepares valuation assumptions feeding into audited financial statements faces a self-review threat. If it then presents those same valuations to investors on the client's behalf, the advocacy risk compounds the original independence problem and may require withdrawal from one or both engagements.

In Practice

For boards and audit committees, self-review threat assessment should be treated as a governance decision rather than a technical compliance exercise. The central judgement is whether the auditor can still challenge the evidence with the independence that shareholders, lenders, and regulators expect. When the prior service shaped a material balance, control, estimate, or system, the safest conclusion may be that the assurance work belongs elsewhere.

The strongest audit governance processes address the issue before the service is approved. By asking how today's advisory work might affect tomorrow's audit, the audit committee can prevent conflicts before they become embedded. That discipline protects the credibility of the audit opinion and preserves the wider purpose of assurance, which is to give users confidence that reported information has been examined independently.