Can our statutory auditor be the QI reviewer? | Reviewer independence explained

Can our statutory auditor be the QI reviewer?

Short answer: Yes—if independence is unquestionable. The QI Agreement allows an internal or external reviewer. What’s prohibited is self-review and any same-firm conflict (when the same firm designed, implemented, or operated your QI/FATCA/1042-S processes).

What the reviewer’s work supports: the Responsible Officer (RO) Certification. The periodic review must be method-aligned (per the QI Agreement/appendices) and produce defensible evidence (test scripts, samples, findings, remediation, and dossier mapping).

1) What is actually required?

  • Independence & objectivity of the reviewer (internal audit or external firm).
  • Appendix-aligned scope covering documentation, withholding, and reporting.
  • Evidence-based testing: sampling plan, test execution, findings, and an RO certification dossier.

Rule of thumb: the builder/operator cannot be the reviewer.

2) Independence requirements (clear & auditable)

A) No self-review

The reviewer must not evaluate work that they (or their firm) designed, implemented, or operated—e.g., your W-8/W-9 validation rules, coding guides, FATCA/withholding workflows, 1042-S mappings, or any automation/tools used in QI controls.

B) Avoid the “same-firm” conflict

If your statutory auditor’s firm performed QI design/operations, the firm is conflicted for QI review—even if a different team would perform the review.

C) Internal reviewer is allowed—if separated

Internal Audit (or a suitably segregated second line) may perform the review when it’s functionally independent from QI operations, has a documented mandate/method, and gets full evidence access.

3) Typical conflict scenarios (and clean solutions)

Situation Conflict? Clean solution
Statutory auditor only audits financial statements No conflict May act as QI reviewer; document independence
Same firm authored W-8/W-9 rules or 1042-S mappings Conflict Engage a different external firm as reviewer
Internal Audit reviews; QI operations sit in Operations OK Keep functional separation; document mandate & method
External consultant built QI workflows and wants to review them Conflict Switch the reviewer (no self-review)
Group shared service designed QI; subsidiary asks group auditor to review Likely conflict Use a firm with no prior design/ops role; when in doubt, go external

4) Mini decision tree (yes/no)

  1. Did the potential reviewer’s firm design/implement/operate QI, FATCA, or 1042-S processes?
    Yes → Not permitted. No → proceed.
  2. Is the reviewer (team/function) organizationally independent from QI operations?
    No → Not permitted. Yes → proceed.
  3. Are method/scope/tests & evidence fully documentable?
    No → Fix method/evidence before starting. Yes → Permitted.

Tip: capture this in a 1–2 page Independence Assessment Memo.

5) How to document independence (checklist)

Place these in your dataroom:

  • Engagement acceptance memo (independence confirmed; no prior QI design/ops work).
  • Org chart & mandate (for Internal Audit: functional independence).
  • Conflict-of-interest declarations (team & firm-wide).
  • Scope letter (Appendix-aligned scope, deliverables, sampling approach).
  • Independence statement addressing same-firm/self-review explicitly.

Controls to tick:

  • [ ] Reviewer’s firm did no QI design/operations for the period in scope
  • [ ] Engagement team had no role in building the processes being tested
  • [ ] Full access to evidence (docs, payments, 1042-S/1042, logs)
  • [ ] Remote fieldwork permitted (or on-site plan agreed)
  • [ ] Reporting structure agreed (findings, remediation, dossier, QAAMS attachments)

6) Sample wording (scope & independence)

Independence
“[Firm] confirms that neither [Firm] nor any member of the engagement team has designed, implemented, or operated the Client’s QI/FATCA/1042-S processes or tools during the period under review. No self-review or same-firm conflict exists.”
Scope
“The review will cover documentation, withholding, and reporting (including 1042-S/1042 reconciliation) in line with the QI Agreement appendices. Testing is risk-based across documentation files and payments. Deliverables include a findings register, remediation roadmap, and an RO certification dossier (evidence map + executive memo).”

7) FAQ

Can our statutory auditor be the reviewer?
Yes—provided no self-review or same-firm conflict exists. Document independence in the acceptance memo and scope letter.
Is a different team within the same firm sufficient?
No—if the firm designed or operated QI processes, the firm is conflicted for review. Engage a different firm.
Is an internal reviewer allowed?
Yes. Internal Audit can review if functionally independent from QI operations and following an appendix-aligned method with full evidence access.
Do we need on-site fieldwork?
Not required by the IRS. A fully remote review is fine if evidence is provided (dataroom, exports, screenshares). Local data-residency rules may still require on-site viewing.
Do we need a separate review for QDD?
Through 2026 the QDD review is suspended; certification still required. From 2027 a full QDD review is expected—plan early.
Have questions about reviewer independence?
We’ll map your situation to the QI rules in a short call.

Related service & further reading

👉 QI Periodic Review — fixed scope, 6–8 weeks