Speech by Marek Grabowski at the University of Tennessee Corporate Governance Center
News types: Speeches
Published: 28 March 2014
On 14 March 2014, FRC Director of Audit Policy, Marek Grabowski gave a speech at the C Warren Neel Corporate Governance Center in the College of Business Administration at the University of Tennessee as part of their ‘Distinguished Speaker Series’. The event was hosted by Professor Joe Carcello, cofounder and Executive Director at the Corporate Governance Center.
The plain text version of Marek's speech, "Recent developments in auditing – in a UK context", can be found below.
Speech by Marek Grabowski, FRC Director of Audit Policy, at the University of Tennessee Corporate Governance Center
Recent developments in auditing – in a UK context
14 March 2014
I was delighted to accept Joe’s invitation and I am very pleased to have this opportunity today to talk about the work of the UK Financial Reporting Council in seeking to underpin and enhance audit quality and to increase public confidence in the value of audit.
Let me first put some context around the value of audit. The corporate governance and reporting framework underpins what we see as the privilege of limited liability. Audit is a key element of that framework and public confidence in corporate governance and reporting depends, in part, on public confidence and trust in the value of audit. But, as the financial crisis and many previous crises have shown, that trust is fragile and is quickly eroded when trust in governance and reporting is undermined.
I suggest there are two key root causes of such fragility in public trust in audit.
First, audit is a very opaque product (a ‘black box’) from the perspective of its intended beneficiaries. Even those who understand the process map that is described by the auditing standards would know very little of substance about any particular audit if they were not insiders. That is because the essence of the audit is the professional judgments made by the auditor, at all stages of the audit, as a basis for their opinion. Those judgments, which must be made with objectivity and integrity and with a range of important competencies, are hidden from outsider view. Audit inspectors get an inside view of those judgments through the audit working papers and audit committees are exposed to them to some extent through communications with the auditor. An outsider may have access to the views of the inspectors or audit committee but otherwise what they see are the failures of audit – for example, when an audit fails to detect a later identified misstatement or when an inspector or regulator sanctions the auditor for poor work or misconduct.
Second, the audited entity appoints and pays the auditor; and auditors (at least in the private sector) are commercial organisations with motivations to make profit from their business. They are very often multi-service businesses that may well see the audited entity as a commercial target for their non-audit service offerings. Unchecked, such motivations create inherent conflicts of interest that may incentivise the auditor to compromise their integrity and objectivity in making audit judgments. These threats, whether or not the auditor succumbs to them, create a ready basis for distrust by outsider users, if and when audit failures come to light. This issue is exacerbated because users often do not understand the scope and design limitations of an audit. So what they perceive as audit failures may extend to circumstances that were not failures of the audit to deliver what it was designed to deliver. Even if users do fully understand the scope and design limitations of the audit, they may question the point of an audit if those limitations result in the audit failing to forewarn of, or prevent, a significant loss of value for them.
In effect, the system calls for ‘blind trust’ in auditors and in the effectiveness of their audit judgments because neither that effectiveness nor the integrity and objectivity of the auditor, can be perceived directly by the user.
So, in developing measures to repair the damage to trust in audit sustained in the financial crisis, our aim has been to focus on making the key audit judgments more transparent, on reducing the threats to objectivity and integrity and, recognising the interdependencies, on improving the quality of governance, reporting and audit in a holistic manner.
~~~~~
At 50,000 feet, that is a brief summary of what we have been trying to do and why. Before getting closer to the ground, let me also explain a little about the FRC because the unique nature and combination of our powers and responsibilities has enabled us to take some actions that other audit regulators would not be able to implement on their own.
The FRC is the UK’s financial reporting, audit and actuarial standard setter; and we also set guidance for broader corporate reporting. We’re responsible for inspecting the quality of financial statements and annual reports issued by public interest entities and the quality of their audits. We also have powers to sanction poor audit work and misconduct. Last but not least, we set the UK Corporate Governance and Stewardship Codes.
This breadth of responsibility enables us to build our standards on the experience we gain from our inspections of financial statements and audits, and from our professional discipline work. But it also enables us to combine our influence over corporate governance and corporate reporting – including the work of boards, and especially that of audit committees – with our regulation of auditors, to promote holistic solutions to corporate governance and reporting issues that include enhancing the role and quality of audit.
But we don’t operate in splendid isolation. Business operates globally and its regulation has a strong international dimension. In addition, the public interest in governance and reporting makes it inevitable that legislators and other regulators will take direct action when a crisis occurs. Despite the breadth of our responsibilities, there are therefore plenty of other players who influence and regulate corporate governance, reporting and audit and we have to ensure that we dovetail our solutions effectively with the many other international and domestic initiatives being taken.
We are committed to serving the needs of investors - our mission is to promote high quality corporate governance and reporting to foster investment. We have two primary strategies to support this mission. The first is to create a framework that encourages trustworthy behaviour by directors and professionals and effective engagement by investors. The second is to encourage companies to produce trustworthy information that contributes to informed decisions. High quality audit plays an important part in delivering each of these strategies.
Coming back to my earlier comments on the value of audit – we therefore want that value to accrue both exogenously – by enhancing public confidence in corporate reporting and governance – and endogenously – by engendering better governance and reporting behaviours within companies.
We also seek to build justified confidence internationally in the UK regulatory framework for corporate governance and reporting, including across the EU and other major capital markets. Furthermore, we support effective global regulatory solutions because they can be leveraged in our own framework and they support good governance and reporting by non-UK components of UK owned groups. The breadth of our role gives us the opportunity to work closely with Government and other regulators in the UK and internationally in a joined-up way. We aim to provide leadership in international debate; to guard against damaging consequences of international regulation; and to promote justified confidence amongst international investors.
Our auditing standards are based closely on those of the IAASB (the ISAs) in almost all respects except auditor reporting, and they have been since 2004, anticipating the adoption of the ISAs in Europe. That adoption has recently been agreed by EU legislators and is likely to be in place from 2016.
Our primary objective in relation to audit is to promote high quality audits. We do also pay attention to other matters such as the level of competition in the audit market in the UK but only to the extent that is consistent with reinforcing quality.
~~~~~
With that background to the FRC, let me turn to our recent work in relation to auditing and the related changes we have made to the corporate governance and reporting regime. In overview, what have been the drivers for these changes, what do we hope to achieve and where are we on the journey?
The stimulus for change in our arena, as in so many others, has been the financial crisis. No great surprise there. In the immediate aftermath of the crisis we did not find that poor auditing was the root cause of the meltdown in the banking sector. However, we did become convinced that auditors should have done more to sound a warning bell about the level of risk being taken on by the banks. Investors were entitled to expect that auditors, boards and regulators would work together more effectively to identify, assess, mitigate and report on risk. And I will say that, based on our inspections, we were in no doubt about the need to lift the bar in terms of audit quality and there was a clear need to increase public confidence in the value that audits bring.
We place a high degree of faith in the power of transparency to incentivise audit quality. In relation to audit, recently:
Recent developments in auditing – in a UK context
14 March 2014
I was delighted to accept Joe’s invitation and I am very pleased to have this opportunity today to talk about the work of the UK Financial Reporting Council in seeking to underpin and enhance audit quality and to increase public confidence in the value of audit.
Let me first put some context around the value of audit. The corporate governance and reporting framework underpins what we see as the privilege of limited liability. Audit is a key element of that framework and public confidence in corporate governance and reporting depends, in part, on public confidence and trust in the value of audit. But, as the financial crisis and many previous crises have shown, that trust is fragile and is quickly eroded when trust in governance and reporting is undermined.
I suggest there are two key root causes of such fragility in public trust in audit.
First, audit is a very opaque product (a ‘black box’) from the perspective of its intended beneficiaries. Even those who understand the process map that is described by the auditing standards would know very little of substance about any particular audit if they were not insiders. That is because the essence of the audit is the professional judgments made by the auditor, at all stages of the audit, as a basis for their opinion. Those judgments, which must be made with objectivity and integrity and with a range of important competencies, are hidden from outsider view. Audit inspectors get an inside view of those judgments through the audit working papers and audit committees are exposed to them to some extent through communications with the auditor. An outsider may have access to the views of the inspectors or audit committee but otherwise what they see are the failures of audit – for example, when an audit fails to detect a later identified misstatement or when an inspector or regulator sanctions the auditor for poor work or misconduct.
Second, the audited entity appoints and pays the auditor; and auditors (at least in the private sector) are commercial organisations with motivations to make profit from their business. They are very often multi-service businesses that may well see the audited entity as a commercial target for their non-audit service offerings. Unchecked, such motivations create inherent conflicts of interest that may incentivise the auditor to compromise their integrity and objectivity in making audit judgments. These threats, whether or not the auditor succumbs to them, create a ready basis for distrust by outsider users, if and when audit failures come to light. This issue is exacerbated because users often do not understand the scope and design limitations of an audit. So what they perceive as audit failures may extend to circumstances that were not failures of the audit to deliver what it was designed to deliver. Even if users do fully understand the scope and design limitations of the audit, they may question the point of an audit if those limitations result in the audit failing to forewarn of, or prevent, a significant loss of value for them.
In effect, the system calls for ‘blind trust’ in auditors and in the effectiveness of their audit judgments because neither that effectiveness nor the integrity and objectivity of the auditor, can be perceived directly by the user.
So, in developing measures to repair the damage to trust in audit sustained in the financial crisis, our aim has been to focus on making the key audit judgments more transparent, on reducing the threats to objectivity and integrity and, recognising the interdependencies, on improving the quality of governance, reporting and audit in a holistic manner.
~~~~~
At 50,000 feet, that is a brief summary of what we have been trying to do and why. Before getting closer to the ground, let me also explain a little about the FRC because the unique nature and combination of our powers and responsibilities has enabled us to take some actions that other audit regulators would not be able to implement on their own.
The FRC is the UK’s financial reporting, audit and actuarial standard setter; and we also set guidance for broader corporate reporting. We’re responsible for inspecting the quality of financial statements and annual reports issued by public interest entities and the quality of their audits. We also have powers to sanction poor audit work and misconduct. Last but not least, we set the UK Corporate Governance and Stewardship Codes.
This breadth of responsibility enables us to build our standards on the experience we gain from our inspections of financial statements and audits, and from our professional discipline work. But it also enables us to combine our influence over corporate governance and corporate reporting – including the work of boards, and especially that of audit committees – with our regulation of auditors, to promote holistic solutions to corporate governance and reporting issues that include enhancing the role and quality of audit.
But we don’t operate in splendid isolation. Business operates globally and its regulation has a strong international dimension. In addition, the public interest in governance and reporting makes it inevitable that legislators and other regulators will take direct action when a crisis occurs. Despite the breadth of our responsibilities, there are therefore plenty of other players who influence and regulate corporate governance, reporting and audit and we have to ensure that we dovetail our solutions effectively with the many other international and domestic initiatives being taken.
We are committed to serving the needs of investors - our mission is to promote high quality corporate governance and reporting to foster investment. We have two primary strategies to support this mission. The first is to create a framework that encourages trustworthy behaviour by directors and professionals and effective engagement by investors. The second is to encourage companies to produce trustworthy information that contributes to informed decisions. High quality audit plays an important part in delivering each of these strategies.
Coming back to my earlier comments on the value of audit – we therefore want that value to accrue both exogenously – by enhancing public confidence in corporate reporting and governance – and endogenously – by engendering better governance and reporting behaviours within companies.
We also seek to build justified confidence internationally in the UK regulatory framework for corporate governance and reporting, including across the EU and other major capital markets. Furthermore, we support effective global regulatory solutions because they can be leveraged in our own framework and they support good governance and reporting by non-UK components of UK owned groups. The breadth of our role gives us the opportunity to work closely with Government and other regulators in the UK and internationally in a joined-up way. We aim to provide leadership in international debate; to guard against damaging consequences of international regulation; and to promote justified confidence amongst international investors.
Our auditing standards are based closely on those of the IAASB (the ISAs) in almost all respects except auditor reporting, and they have been since 2004, anticipating the adoption of the ISAs in Europe. That adoption has recently been agreed by EU legislators and is likely to be in place from 2016.
Our primary objective in relation to audit is to promote high quality audits. We do also pay attention to other matters such as the level of competition in the audit market in the UK but only to the extent that is consistent with reinforcing quality.
~~~~~
With that background to the FRC, let me turn to our recent work in relation to auditing and the related changes we have made to the corporate governance and reporting regime. In overview, what have been the drivers for these changes, what do we hope to achieve and where are we on the journey?
The stimulus for change in our arena, as in so many others, has been the financial crisis. No great surprise there. In the immediate aftermath of the crisis we did not find that poor auditing was the root cause of the meltdown in the banking sector. However, we did become convinced that auditors should have done more to sound a warning bell about the level of risk being taken on by the banks. Investors were entitled to expect that auditors, boards and regulators would work together more effectively to identify, assess, mitigate and report on risk. And I will say that, based on our inspections, we were in no doubt about the need to lift the bar in terms of audit quality and there was a clear need to increase public confidence in the value that audits bring.
We place a high degree of faith in the power of transparency to incentivise audit quality. In relation to audit, recently:
-
We have enhanced the role and transparency of audit committees in overseeing the audit relationship, through extended reporting of their work;
-
We have enhanced the transparency of the audit itself, through extended auditor reporting about audits undertaken, to enable public challenge and engagement about whether those audits are effective in meeting the legitimate needs of users; and
-
Although we already have one of the most transparent inspection regimes in the world, our Competition Commission has recommended further increasing both the frequency and transparency of the results of our inspections.
Extended auditor reporting is also called for under the new Audit Regulation and Directive in final stages of agreement by the European Union. And the IAASB as well as the PCAOB is developing revised auditor reporting standards. Both the EU Regulation and the Competition Commission remedies also seek to enhance the role of audit committees in overseeing the audit relationship.
Other actions taken to improve quality and enhance confidence in corporate governance, reporting and audit include:
· FIRSTLY, Measures to enhance risk management and related corporate reporting – These include new requirements for the board to satisfy itself that there are appropriate systems in place to manage risk; a new requirement to include a description of the business model in the annual report (FRC 2010); new requirements for a Strategic report (UK Government 2012); a new requirement for the board to state that they consider the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the company’s performance, business model and strategy (FRC 2012); and revisions to the Corporate Governance Code and related guidance, arising from the FRC’s review of risk management and from the Panel of Inquiry chaired by Lord Sharman on going concern to learn lessons from the financial crisis – these last two are still in process.
· SECONDLY, Measures to enhance the relevance to users of the auditor’s role – by placing the auditor more firmly at the heart of governance, requiring auditors to apply their knowledge in reviewing the enhanced annual reports and to speak out in the auditor’s report when this leads them to identify inconsistencies with their knowledge (FRC measures to do so were introduced in 2012; IAASB measures in development)
· THIRDLY, Measures to manage conflicts of commercial self-interest as auditor – by imposing further restrictions on the provision of non-audit services (FRC 2010 and recent EU measures)
· FOURTHLY, Measures to address threats to audit quality from close auditor relationships with companies – by increasing the frequency of audit tendering (FRC, CC, EU) and audit firm rotation (EU requirement)
We believe that collectively these measures should go some way to improving performance, across all sectors not just in banking. However, some are recent innovations or are still being developed and we cannot yet fully assess their ultimate impact. We are not complacent – we recognise the importance of monitoring their implementation, and taking further action if necessary, to ensure that they are implemented effectively.
Furthermore, we hope that the enhanced transparency about audits we are driving will lead to informed dialogue and challenge about the audits that are undertaken – and especially dialogue about whether they meet the legitimate needs of users. We are already beginning to see some signs of this dialogue and challenge, even in the early stages of extended auditor reporting. So we also expect to learn from the outcome of this dialogue and stand ready to take further action to enhance audit quality where necessary to meet those needs.
We also recognise that there may be more to do to address the fundamental issues that arise from the ‘company pays and appoints’ model. To that end we are beginning a full review of the Ethical Framework for auditors, to consider whether, within the context of that model, more can be done to shield auditors within multi-service firms from the wider commercial incentives that could compromise their objectivity and integrity. This might be through enhanced audit firm governance or by removing some of those incentives more fully, for example by further prohibiting the sale of non-audit services to audited entities. We also want to ensure that auditors see Ethics as a set of values or principles that they must uphold and not as Rules, where any behaviour is acceptable if not prohibited.
Finally, we want to establish an environment where auditors seek to compete on audit quality. Of course, this requires an ability and willingness on their part to do more than the minimum required by regulations and standards. But it also requires an environment where quality improvement through innovation is rewarded. We need to ensure that standardisation of the audit, whether through audit firm methodologies, auditing standards or the expectations of audit inspectors, does not stifle individual auditor and audit firm judgments on better ways to achieve the objectives of the audit. We want to know in that context that the skills and competencies of auditors remain fit for purpose given developments in business models and emerging methods of doing business and of storing and handling data subject to audit. We have therefore jointly sponsored some studies on future skills and competency needs for auditors.
~~~~~
So I would say we have made a start but there is more to do.
Now let me explain in more detail the changes we have made to auditor reporting and how these are inter-related with the changes to the corporate governance and reporting framework that I have already mentioned.
The context for enhanced auditor reporting
During the early onset of the financial crisis, the FRC had already undertaken enquiries into lessons to be learned. As a result, the UK Corporate Governance Code was revised, and the Stewardship Code for Institutional Shareholders was issued to engender more engagement by shareholders and investment managers. Initial guidance was also issued to auditors on the approach to going concern, on the governance of audit firms and on auditor independence.
However, the crisis had also highlighted the importance of the identification, analysis and management of risk. That was not only true in the financial services sector. Companies in all sectors still got into trouble as a result of failures in this area. There had been criticisms by investors and other stakeholders that companies, particularly those in the financial sector, had provided inadequate or misleading corporate and financial reports in the run up to the financial crisis. Later in the aftermath of the crisis, many also began to question ‘where were the auditors?’ in companies that had been given a clean bill of health and later collapsed.
We wanted to reduce the likelihood that this message would be forgotten – as it had been after previous crises – by increasing transparency in directors’ reports on their activities, including their management of risk.
In 2010, the FRC issued its policy paper entitled Effective Company Stewardship. The paper set out how the FRC felt high quality corporate governance, reporting and audit should look. We wanted to see:
Other actions taken to improve quality and enhance confidence in corporate governance, reporting and audit include:
· FIRSTLY, Measures to enhance risk management and related corporate reporting – These include new requirements for the board to satisfy itself that there are appropriate systems in place to manage risk; a new requirement to include a description of the business model in the annual report (FRC 2010); new requirements for a Strategic report (UK Government 2012); a new requirement for the board to state that they consider the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the company’s performance, business model and strategy (FRC 2012); and revisions to the Corporate Governance Code and related guidance, arising from the FRC’s review of risk management and from the Panel of Inquiry chaired by Lord Sharman on going concern to learn lessons from the financial crisis – these last two are still in process.
· SECONDLY, Measures to enhance the relevance to users of the auditor’s role – by placing the auditor more firmly at the heart of governance, requiring auditors to apply their knowledge in reviewing the enhanced annual reports and to speak out in the auditor’s report when this leads them to identify inconsistencies with their knowledge (FRC measures to do so were introduced in 2012; IAASB measures in development)
· THIRDLY, Measures to manage conflicts of commercial self-interest as auditor – by imposing further restrictions on the provision of non-audit services (FRC 2010 and recent EU measures)
· FOURTHLY, Measures to address threats to audit quality from close auditor relationships with companies – by increasing the frequency of audit tendering (FRC, CC, EU) and audit firm rotation (EU requirement)
We believe that collectively these measures should go some way to improving performance, across all sectors not just in banking. However, some are recent innovations or are still being developed and we cannot yet fully assess their ultimate impact. We are not complacent – we recognise the importance of monitoring their implementation, and taking further action if necessary, to ensure that they are implemented effectively.
Furthermore, we hope that the enhanced transparency about audits we are driving will lead to informed dialogue and challenge about the audits that are undertaken – and especially dialogue about whether they meet the legitimate needs of users. We are already beginning to see some signs of this dialogue and challenge, even in the early stages of extended auditor reporting. So we also expect to learn from the outcome of this dialogue and stand ready to take further action to enhance audit quality where necessary to meet those needs.
We also recognise that there may be more to do to address the fundamental issues that arise from the ‘company pays and appoints’ model. To that end we are beginning a full review of the Ethical Framework for auditors, to consider whether, within the context of that model, more can be done to shield auditors within multi-service firms from the wider commercial incentives that could compromise their objectivity and integrity. This might be through enhanced audit firm governance or by removing some of those incentives more fully, for example by further prohibiting the sale of non-audit services to audited entities. We also want to ensure that auditors see Ethics as a set of values or principles that they must uphold and not as Rules, where any behaviour is acceptable if not prohibited.
Finally, we want to establish an environment where auditors seek to compete on audit quality. Of course, this requires an ability and willingness on their part to do more than the minimum required by regulations and standards. But it also requires an environment where quality improvement through innovation is rewarded. We need to ensure that standardisation of the audit, whether through audit firm methodologies, auditing standards or the expectations of audit inspectors, does not stifle individual auditor and audit firm judgments on better ways to achieve the objectives of the audit. We want to know in that context that the skills and competencies of auditors remain fit for purpose given developments in business models and emerging methods of doing business and of storing and handling data subject to audit. We have therefore jointly sponsored some studies on future skills and competency needs for auditors.
~~~~~
So I would say we have made a start but there is more to do.
Now let me explain in more detail the changes we have made to auditor reporting and how these are inter-related with the changes to the corporate governance and reporting framework that I have already mentioned.
The context for enhanced auditor reporting
During the early onset of the financial crisis, the FRC had already undertaken enquiries into lessons to be learned. As a result, the UK Corporate Governance Code was revised, and the Stewardship Code for Institutional Shareholders was issued to engender more engagement by shareholders and investment managers. Initial guidance was also issued to auditors on the approach to going concern, on the governance of audit firms and on auditor independence.
However, the crisis had also highlighted the importance of the identification, analysis and management of risk. That was not only true in the financial services sector. Companies in all sectors still got into trouble as a result of failures in this area. There had been criticisms by investors and other stakeholders that companies, particularly those in the financial sector, had provided inadequate or misleading corporate and financial reports in the run up to the financial crisis. Later in the aftermath of the crisis, many also began to question ‘where were the auditors?’ in companies that had been given a clean bill of health and later collapsed.
We wanted to reduce the likelihood that this message would be forgotten – as it had been after previous crises – by increasing transparency in directors’ reports on their activities, including their management of risk.
In 2010, the FRC issued its policy paper entitled Effective Company Stewardship. The paper set out how the FRC felt high quality corporate governance, reporting and audit should look. We wanted to see:
-
Higher quality narrative reporting, particularly on business strategy and risk management;
-
More widespread recognition of the importance of Audit Committees and, therefore, greater emphasis on their contribution to the integrity of financial reporting;
-
Greater transparency of the way that Audit Committees discharge their responsibilities in relation to the integrity of the Annual Report and their oversight of the effectiveness of the external audit and the company’s relationship with the auditor; and
-
More information provided by the auditor about the audit, both to Audit Committees and to investors, and a broadening of the scope of the auditor's responsibilities.
A key proposal in relation to audit was that “confidence in corporate reporting should be reinforced by a more effective and transparent assurance regime that involves … a quality audit of the financial statements”.
We recognised that the effective exercise of professional judgment is fundamental to the quality of every audit and is required at numerous stages during an audit. We wanted to ensure that auditors were more incentivised to approach issues such as these with an appropriate mindset – a mindset that includes professional scepticism. We thought that such scepticism would be enhanced by greater transparency, with the judgments made by auditors being open to effective challenge by the Audit Committee and investors.
Against this background, in 2012, we set about making changes:
We recognised that the effective exercise of professional judgment is fundamental to the quality of every audit and is required at numerous stages during an audit. We wanted to ensure that auditors were more incentivised to approach issues such as these with an appropriate mindset – a mindset that includes professional scepticism. We thought that such scepticism would be enhanced by greater transparency, with the judgments made by auditors being open to effective challenge by the Audit Committee and investors.
Against this background, in 2012, we set about making changes:
-
To enhance the quality of the information auditors shared with the audit committee;
-
To extend corporate reporting about the work of the audit committee; and
-
To take auditor reporting requirements beyond the largely binary auditor’s reports that had become the norm.
We required auditors to report to audit committees:
-
Information relevant to the Board in making the statement that the annual report and accounts taken as a whole are fair, balanced and understandable; and
-
The information the auditor believes the audit committee needs to understand the professional judgments made in the audit and in reaching its opinion.
The first element calls on the auditor to provide insights from their audit work about matters that they believe should be included in the financial statements and the annual report. It is also linked to the enhanced responsibility that we placed on the auditor to consider whether any information in the annual report and accounts is inconsistent with the knowledge they gained in the course of the audit (in the context of the directors’ new statement).
The second element requires auditors to focus on the key professional judgments they made in the audit – these will either be judgments in planning or performing the audit or in evaluating the judgments made by the directors in preparing the financial statements. We provided guidance to auditors on relevant areas of judgment they should consider in this regard:
-
business risks relevant to financial reporting objectives, the application of materiality and the implications of their judgments in relation to these for the overall audit strategy, the audit plan and the evaluation of misstatements identified;
-
significant accounting policies;
-
management’s valuations of the entity’s material assets and liabilities and related disclosures;
-
the effectiveness of the entity’s system of internal control relevant to risks that may affect financial reporting; and indeed other risks arising from the entity’s business model and the effectiveness of related internal controls to the extent, if any, the auditor has obtained an understanding of these matters; and
-
Any other matters that the auditor believes will be relevant to the board or the audit committee in fulfilling their responsibilities for the oversight of the financial and corporate reporting process and their review of the risk management and internal control systems.
We also required boards to describe in the annual report the work of the audit committee in discharging its responsibilities, including:
-
significant issues considered in relation to the financial statements (including those raised by the auditor) and how they were addressed;
-
how they assessed the effectiveness of the audit; and
-
their approach to appointing the auditor and ensuring objectivity relative to any non-audit service the external audit firm provides.
We wanted to make sure that the auditor’s report was worth reading, that it provided a platform of information about the audit that investors could use as a basis for engagement about the audit. If we could do this, we might start to close the expectation gap between what the public believes to be the job of the auditor and how it should be performed, and what the statutory responsibilities of the auditor are and how they are fulfilled in practice. We also wanted to reinforce the role of the auditor in relation to the annual report as a whole.
In 2012, just as the international auditing standard setting body – the IAASB – issued its consultation on ‘improving the auditor’s report’, the FRC finalised its own proposals, including changes to our auditing standards and to the UK Corporate Governance Code.
Changes to the auditor’s report and auditor’s responsibilities
The aims of the 2012 changes for auditors were to:
In 2012, just as the international auditing standard setting body – the IAASB – issued its consultation on ‘improving the auditor’s report’, the FRC finalised its own proposals, including changes to our auditing standards and to the UK Corporate Governance Code.
Changes to the auditor’s report and auditor’s responsibilities
The aims of the 2012 changes for auditors were to:
-
improve the transparency of the audit;
-
back up the new requirements for enhanced reporting by audit committees of the issues the auditors had raised with them – by giving auditors the power to ensure that those matters were adequately addressed in the annual report or to bring them to users’ attention in the auditor’s report; and
-
respond to the increasing interest of investors in the audit.
We therefore required the auditor’s report to be extended to describe:
-
Any matters discussed in the Annual Report that the auditor considers to be inconsistent with its knowledge or otherwise misleading (for example because their description is inconsistent with the fair balanced and understandable requirement) – and at the same time we extended the auditor’s responsibility under ISA 720 to read the annual report to identify such inconsistencies, not only inconsistencies with the financial statements; and
-
Matters it has drawn to the attention of the audit committee but only to the extent that those are not appropriately disclosed in the Annual Report.
Then, in June of last year, we took further steps to make the auditor’s report more transparent about the actual audit undertaken. The further changes included three new requirements:
-
To describe those assessed risks of material misstatement identified by the auditor as having the greatest effect on:
– The overall audit strategy;
– The allocation of resources in the audit; and
– Directing the efforts of the engagement team.
We clarified that such assessed risks may be (but do not have to be) significant risks as defined in ISA 315 and that the auditor is not required to describe all significant risks as defined.
– The allocation of resources in the audit; and
– Directing the efforts of the engagement team.
We clarified that such assessed risks may be (but do not have to be) significant risks as defined in ISA 315 and that the auditor is not required to describe all significant risks as defined.
-
To explain how the auditor applied the concept of materiality in planning and performing the audit
– The explanation must at least specify the threshold used by the auditor as materiality for the financial statements as a whole
-
To provide a summary of the audit scope, including an explanation of how the scope was responsive to the assessed risks of material misstatement and the auditor’s application of the concept of materiality.
We considered that these June 2013 changes ‘completed the circle’ with the changes introduced in October 2012. The 2012 changes were expected, primarily through enhanced audit committee reporting, to make more transparent the key judgments in preparing the company’s financial statements. We considered that such matters fall within the domain of the company and that the primary responsibility for their disclosure should be with the company. However, we also believed that the auditor should have a secondary responsibility to report if the directors failed to meet their responsibility to do so.
In contrast, the 2013 changes were expected to address other key judgments in planning and performing the audit that define the particular audit – we considered that such matters fall within the domain of the auditor and that the primary responsibility for their disclosure should be with the auditor.
Taken together these changes are intended to provide investors with information in the auditor’s report and audit committee reporting that conveys a better understanding of, and basis for engagement about, the most significant judgments made by the auditor both in relation to management ‘s judgements in preparing the financial statements, and in conducting the audit.
All of these changes to the auditing standards were made effective for periods commencing on or after 1 October 2012, consistent with the effective date of the related changes to the UK Corporate Governance Code. They apply to entities that are required, or choose voluntarily, to apply the UK Corporate Governance Code. That would include most UK listed companies and some companies listed on AIM, our junior market. In effect, they first apply (for calendar year reporting companies) for the 2013 year end.
Response to the changes
Enhanced auditor’s reports and audit committee reporting under the new regime are now appearing. We also saw several examples of companies and their auditors adopting the new reporting model early.
A report by KPMG looked at the audit reports of the first 20 or so FTSE 350 companies to report. This provided some early indications about the structure of the new auditor’s reports, the number and type of audit risks being covered, the nature of the disclosures made about materiality and the levels of audit coverage disclosed. For example, they found that only 7 of the 36 different types of risk addressed in those reports were repeated across more than one report. The others occurred only once, suggesting that auditors were not generally taking a boiler plate approach to listing risks.
Now, a little later in the reporting season, many more reports are available and the pace of their emergence is quickening. Our own analysis of a selection of 21 of those reports shows a number of interesting trends emerging. In general the new regime seems to have been positively embraced by each of the major audit firms who have so far reported.
However, there are some interesting differences emerging in the approaches of the firms:
Location of audit opinion – two of the firms give the opinion first; a third places it immediately after a brief introduction identifying the audited financial statements and one gives the opinion much later in the report. We think investors want to see this near the beginning of the report.
Going concern – we did not mandate any reporting on going concern at this stage in the new model, but this was consulted on by the IAASB. Two of the firms have voluntarily reported on going concern, and have done so consistently, whereas the other two have not. One firm anticipates the reporting model consulted on by the IAASB – addressing both whether the going concern basis of accounting is appropriate and whether any material uncertainties were identified. The other firm addresses only the going concern basis of accounting.
Assessed risks of material misstatement addressed – the number of risks addressed falls within the range of 2 to 10, with a mean of 4.6 in our sample of 21 reports. Impairment was included as a risk in 16 of those.
Correlation of risks addressed in auditor and audit committee reporting - In 10 of the 21 reports all the risks commented on by the audit committee were also discussed in the audit report. There were some limited differences in the other reports.
Incidence of ‘boiler-plate’ or standard risk reporting – One firm appears to include in all of its reports two risks - Fraud in Revenue Recognition and Management Override of controls
Materiality – all but one of the firms usually discloses not only the overall materiality level in absolute terms but also as a percentage of the benchmark (usually profit before tax or normalised profit before tax) it has used. The other firm only discloses the level. When disclosed the percentages range from 4.9% to 10%, though almost all are 5%. One firm also always discloses performance materiality, generally 70-75% of overall materiality but 50% in one case. In addition, all of the sample reports disclosed the magnitude of unadjusted errors that auditors report to the audit committee.
Describing the auditor’s response to risks addressed and their findings – there is a range of different styles emerging in this respect. Most reports describe the risk or issue and the auditor’s response. Some also indicate the auditor’s findings – one interesting example in that regard is the auditor’s report on Rolls Royce.
This has been an area of interest in responses to the IAASB’s consultation – with some respondents strongly against such disclosures and some strongly in favour. Those against cite the risk that findings will be seen as separate opinions and that there is a ‘risk’ of the auditor providing original information, which they do not support – in fact to many of them this is almost an article of faith.
Others have suggested that these requirements for auditors may in effect lower the threshold for disclosure of matters pertaining to the company below that set in the financial reporting framework. They don’t see this as the role of the auditing standards setter. Furthermore a number of the audit firms who responded to the IAASB’s consultation have suggested that they came across a number of ‘sensitive’ issues and that auditors need more guidance on how to address these (both in terms of selecting them as matters to include in their report and in terms of what they say about them). Some have suggested there needs to be an exception to reporting such matters.
Examples of lowering the reporting threshold or of sensitive matters that were cited include:
-
close calls in relation to going concern;
-
matters subject to commercial sensitivities, professional privilege and privacy;
-
possible illegal acts or possible fraud;
-
significant deficiencies in internal control;
-
breaches of independence;
-
complex tax strategies or disputes;
-
problems with management or those charged with governance, including views on the quality and effectiveness of the governance and risk management structures;
-
regulatory investigations;
-
contingent liabilities that do not meet the requirements for disclosure under the applicable financial reporting framework, or other litigation or commercial disputes; and
-
the evaluation of identified but uncorrected misstatements.
We are not aware of major difficulties auditors have had in considering these types of item in applying our requirements but they pose some interesting questions and will need to be considered in terms of implementation feedback in due course.
Matters the auditor discussed with the audit committee – none of the selected reports speaks out to identify a matter the auditor considered that the audit committee should have addressed in their report or that, though addressed, was not appropriately so. This does not surprise us. We see this as a reserve power for the auditor to drive better compliance in audit committee reporting.
It is early days and our analysis is quite preliminary at this stage. Of course, we will be reviewing the application of the new auditor and audit committee reporting regime as part of our inspection programmes. But we will also be monitoring them more broadly to consider how well they are meeting our objectives. A key input for us in this respect is whether the new auditor reports are providing valuable information for users and whether they are stimulating dialogue about the audit.
Audit committee reporting
Audit committees are required to disclose significant issues they considered in relation to the financial statements and how they were addressed (including matters raised with them by the auditor); how they went about assessing the effectiveness of the audit; and their approach to appointing the auditor and ensuring objectivity relative to any non-audit service the external audit firm provides. The Governance Code is not prescriptive in relation to how these matters should be addressed.
However, our Financial Reporting Lab was set up to improve the effectiveness of corporate reporting in the UK. The Lab provides a safe environment for listed companies to explore innovative reporting solutions with investors, to ensure such reporting meets their needs. Lab project reports do not become new reporting requirements. Instead, they summarise observations on practices that investors find useful to their analysis and encourage companies to consider adopting those practices if appropriate in the context of their own reporting.
Last year the Lab undertook a project on the new audit committee reporting requirements. Key findings included that investors wanted audit committees to:
-
Demonstrate ownership and accountability by personalising their reporting;
-
Be specific to the company and to the current year;
-
Say what they did (not just what they do): depict their specific activities during the year and their purpose, using active, descriptive language;
-
Disclose judgement calls made during the year, and the sources of assurance and other evidence drawn upon to satisfy themselves that the conclusion drawn was appropriate;
-
Consider their audience in describing issues and their consequences for the company and its reporting; and
-
Consider where in the annual report information is best included, and avoid repetition.
-
One of the most difficult challenges was thought to be the requirement to describe how the effectiveness of the audit was assessed. Anecdotally, we hear that Audit Committees are beginning to realise that although they know how to assess the quality of service and the lead audit partner, they are less sure how to assess many aspects of the quality of the audit itself.
I believe this presents an opportunity for better engagement between the auditor and audit committee and that this may in time drive better challenge by audit committees. Engagement on these matters by investors may also assist audit committees with their assessment. However, we also recognise that some assistance may be required and we are aiming to review best practice, to consider how this may be disseminated and whether more is needed.
~~~~~
That’s a relatively quick, early reaction to some of what we are seeing. Before closing and turning the floor over to you for your questions, I would like to touch briefly on three particular points I have already mentioned briefly – other extended auditor reporting initiatives, developments in relation to going concern and developments in the European Union.
Other extended auditor reporting initiatives
As many of you will know, other standard setters are also pursuing changes to the auditor’s report. The IAASB and the PCAOB have each issued proposals for extended auditor reporting that are each at the stage of considering consultation responses. Each of them has similarities with, and some differences from, our approach.
Both of those bodies can only make changes to auditor reporting requirements. Their proposals include requirements for the auditor to describe in the auditor’s report the ‘key audit matters’ (IAASB) or the ‘critical audit matters’ (PCAOB). Though each of these concepts is defined a little differently, we believe that in practice the matters that are likely to be addressed would be broadly consistent with matters disclosed in the extended UK auditor’s report or audit committee reporting.
Each of the proposed models recognises that auditor judgment will play an important role in determining which matters are to be addressed and the extent to which the auditor should describe the matter, the impact on the audit and the auditor’s findings. There are differing views amongst stakeholders about the degree to which consistency with respect to these judgments should be required and how to achieve that. We tend to favour judgment over consistency as we believe that a drive for consistency is more likely to exclude certain types of items.
We have tried to convey to auditors the types of items that they should consider for disclosure through our enhanced requirements for auditor communication with audit committees and through specifying the requirements for auditors to address materiality, risks and audit scope. Ultimately we believe the objective must be to identify matters of relevance to users. But we do not say so directly. This is also recognised in responses to the IAASB consultation. Some want a more direct link in the requirements.
Some of the UK requirements (especially those relating to materiality and the scope of the audit) are not addressed by the IAASB or by the PCAOB. Nonetheless, the IAASB’s proposals also acknowledge that the auditor may wish to raise these matters in the auditor’s report and notes that if so they may use an ‘other matter’ paragraph.
Going concern
The Sharman Panel was commissioned by the FRC to learn lessons about companies’ approach to going concern. The financial crisis had highlighted concerns about the quality of information that companies provide on their financial health and their ability to withstand stresses in the short to medium-term and about whether the auditor’s role in relation to this was adequate. Similar concerns have been raised elsewhere internationally, especially that the going concern regime did not provide sufficient early warning of factors that led to the downfall of a number of financial institutions.
The Sharman Panel concluded that the going concern process was seen as an accounting issue addressed by boards periodically when drawing up financial statements. The Panel thought that it should be an integral part of the Board’s responsibilities for risk management. It concluded that if the assessment of going concern risks and related public reporting were to be integrated in that way, this would engender better risk management behaviours by boards.
The Panel also thought that the assessment process should be enhanced to consider solvency over the longer term not just liquidity over the shorter term – which was how many companies approached the exercise. It wanted boards to make the assessment prudently (even though their financial statements may be neutral) and to undertake stress testing of both solvency and liquidity. It wanted boards to report that they had carried out a robust assessment, to comment about the principal solvency and liquidity risks they had identified in a graduated manner in the annual report (ie outside the financial statements) and to leverage the same assessment process in concluding on the use of the going concern basis of accounting and the need for going material uncertainty disclosures in the financial statements. The graduated narrative reporting would provide earlier warning if undertaken effectively. The auditor should have an enhanced role to review these disclosures and speak out if they were inconsistent with their knowledge.
The Panel noted confusion about the use of the term going concern both in relation to the application of references to it both in the accounting standards and in the Corporate Governance provision requiring boards to confirm that the company is a going concern in the annual report. It wanted the FRC to develop a common understanding in relation to the use of the term in both cases, ideally in conjunction with IASB.
There is broad support in the UK for the Sharman recommendations and we are continuing to consult on their implementation. We have learned that despite the support for the recommendations, it is difficult to get broad support from stakeholders for the detailed provisions we propose. A key factor is the special meaning of going concern in the context of the accounting standards. The going concern basis of accounting is required to be applied unless liquidation is planned or unavoidable. But the more common sense view of a going concern is an entity that can continue to operate on a normal basis over the longer term, and meet its liabilities, without unplanned downscaling or other actions that would damage the value creating potential of the business. Investors want narrative reporting about risks to be made against that more common sense view. But many preparers and auditors fear this will create confusion with the going concern basis of accounting and that they will be unable to draw the conclusion that an entity is a going concern on the common sense basis with any reasonable level of confidence.
We have consulted twice – the most recent consultation integrates this implementation with more general improvements to the UK Corporate Governance Code, and related guidance for boards of listed companies. An enhanced role for auditors as recommended by the Panel has also been proposed and is generally not contentious, once the provisions for directors have been finalised. Discussions with stakeholders continue, in order to develop appropriate wording that would enable investors to be reasonably assured that the directors have made a robust assessment, appropriately described the risks they face and are satisfied that after taking into account their risk management and mitigation strategies they are satisfied that the entity remains viable and that the net risks are well-judged.
We hope to be in a position to undertake a further (and hopefully final) consultation in April.
Developments in Europe
As a member of the European Union, we are subject to legislative changes both in the UK and at European level. You may be aware that a major review has been underway in Europe for a number of years to enhance the framework for statutory audits across the European Union. The project has led to the development of a Directive, to enhance the existing requirements applicable to all statutory audits, and a new Regulation which establishes additional requirements for audits of public-interest entities.
These legislative instruments are in the final stages of adoption and would likely take effect from mid-2016. The IAASB’s ISAs will now be adopted subject to a review by the Commission to ensure consistency with certain requirements. There will also be certain minimum auditor reporting requirements including a requirement for a statement about any material going concern uncertainties.
Additional key changes introduced for public interest entities include:
I believe this presents an opportunity for better engagement between the auditor and audit committee and that this may in time drive better challenge by audit committees. Engagement on these matters by investors may also assist audit committees with their assessment. However, we also recognise that some assistance may be required and we are aiming to review best practice, to consider how this may be disseminated and whether more is needed.
~~~~~
That’s a relatively quick, early reaction to some of what we are seeing. Before closing and turning the floor over to you for your questions, I would like to touch briefly on three particular points I have already mentioned briefly – other extended auditor reporting initiatives, developments in relation to going concern and developments in the European Union.
Other extended auditor reporting initiatives
As many of you will know, other standard setters are also pursuing changes to the auditor’s report. The IAASB and the PCAOB have each issued proposals for extended auditor reporting that are each at the stage of considering consultation responses. Each of them has similarities with, and some differences from, our approach.
Both of those bodies can only make changes to auditor reporting requirements. Their proposals include requirements for the auditor to describe in the auditor’s report the ‘key audit matters’ (IAASB) or the ‘critical audit matters’ (PCAOB). Though each of these concepts is defined a little differently, we believe that in practice the matters that are likely to be addressed would be broadly consistent with matters disclosed in the extended UK auditor’s report or audit committee reporting.
Each of the proposed models recognises that auditor judgment will play an important role in determining which matters are to be addressed and the extent to which the auditor should describe the matter, the impact on the audit and the auditor’s findings. There are differing views amongst stakeholders about the degree to which consistency with respect to these judgments should be required and how to achieve that. We tend to favour judgment over consistency as we believe that a drive for consistency is more likely to exclude certain types of items.
We have tried to convey to auditors the types of items that they should consider for disclosure through our enhanced requirements for auditor communication with audit committees and through specifying the requirements for auditors to address materiality, risks and audit scope. Ultimately we believe the objective must be to identify matters of relevance to users. But we do not say so directly. This is also recognised in responses to the IAASB consultation. Some want a more direct link in the requirements.
Some of the UK requirements (especially those relating to materiality and the scope of the audit) are not addressed by the IAASB or by the PCAOB. Nonetheless, the IAASB’s proposals also acknowledge that the auditor may wish to raise these matters in the auditor’s report and notes that if so they may use an ‘other matter’ paragraph.
Going concern
The Sharman Panel was commissioned by the FRC to learn lessons about companies’ approach to going concern. The financial crisis had highlighted concerns about the quality of information that companies provide on their financial health and their ability to withstand stresses in the short to medium-term and about whether the auditor’s role in relation to this was adequate. Similar concerns have been raised elsewhere internationally, especially that the going concern regime did not provide sufficient early warning of factors that led to the downfall of a number of financial institutions.
The Sharman Panel concluded that the going concern process was seen as an accounting issue addressed by boards periodically when drawing up financial statements. The Panel thought that it should be an integral part of the Board’s responsibilities for risk management. It concluded that if the assessment of going concern risks and related public reporting were to be integrated in that way, this would engender better risk management behaviours by boards.
The Panel also thought that the assessment process should be enhanced to consider solvency over the longer term not just liquidity over the shorter term – which was how many companies approached the exercise. It wanted boards to make the assessment prudently (even though their financial statements may be neutral) and to undertake stress testing of both solvency and liquidity. It wanted boards to report that they had carried out a robust assessment, to comment about the principal solvency and liquidity risks they had identified in a graduated manner in the annual report (ie outside the financial statements) and to leverage the same assessment process in concluding on the use of the going concern basis of accounting and the need for going material uncertainty disclosures in the financial statements. The graduated narrative reporting would provide earlier warning if undertaken effectively. The auditor should have an enhanced role to review these disclosures and speak out if they were inconsistent with their knowledge.
The Panel noted confusion about the use of the term going concern both in relation to the application of references to it both in the accounting standards and in the Corporate Governance provision requiring boards to confirm that the company is a going concern in the annual report. It wanted the FRC to develop a common understanding in relation to the use of the term in both cases, ideally in conjunction with IASB.
There is broad support in the UK for the Sharman recommendations and we are continuing to consult on their implementation. We have learned that despite the support for the recommendations, it is difficult to get broad support from stakeholders for the detailed provisions we propose. A key factor is the special meaning of going concern in the context of the accounting standards. The going concern basis of accounting is required to be applied unless liquidation is planned or unavoidable. But the more common sense view of a going concern is an entity that can continue to operate on a normal basis over the longer term, and meet its liabilities, without unplanned downscaling or other actions that would damage the value creating potential of the business. Investors want narrative reporting about risks to be made against that more common sense view. But many preparers and auditors fear this will create confusion with the going concern basis of accounting and that they will be unable to draw the conclusion that an entity is a going concern on the common sense basis with any reasonable level of confidence.
We have consulted twice – the most recent consultation integrates this implementation with more general improvements to the UK Corporate Governance Code, and related guidance for boards of listed companies. An enhanced role for auditors as recommended by the Panel has also been proposed and is generally not contentious, once the provisions for directors have been finalised. Discussions with stakeholders continue, in order to develop appropriate wording that would enable investors to be reasonably assured that the directors have made a robust assessment, appropriately described the risks they face and are satisfied that after taking into account their risk management and mitigation strategies they are satisfied that the entity remains viable and that the net risks are well-judged.
We hope to be in a position to undertake a further (and hopefully final) consultation in April.
Developments in Europe
As a member of the European Union, we are subject to legislative changes both in the UK and at European level. You may be aware that a major review has been underway in Europe for a number of years to enhance the framework for statutory audits across the European Union. The project has led to the development of a Directive, to enhance the existing requirements applicable to all statutory audits, and a new Regulation which establishes additional requirements for audits of public-interest entities.
These legislative instruments are in the final stages of adoption and would likely take effect from mid-2016. The IAASB’s ISAs will now be adopted subject to a review by the Commission to ensure consistency with certain requirements. There will also be certain minimum auditor reporting requirements including a requirement for a statement about any material going concern uncertainties.
Additional key changes introduced for public interest entities include:
-
The role of audit committees of public interest entities will be strengthened in relation to auditor appointment and independence.
-
Mandatory rotation of audit firms after a maximum period of 20 years, as long as the audit has been retendered after 10 years.
-
A ban on the auditor providing certain non-audit services (subject to some flexibility for Member States) and a cap on other non-audit services at 70% of the combined group audit fees (subject to some exemptions for exceptional circumstances and services required by national or EU law)
-
Additional auditor reporting requirements including: a requirement to identify the most significant assessed risks of material misstatement, the auditor’s response and where relevant key observations arising with respect to the risks; an explanation of the extent to which the audit was capable of detecting irregularities, including fraud; and a statement that the auditor was independent.
~~~~~