Speech by Marek Grabowski, FRC Director of Audit Policy: IBRACON 6th Brazilian Conference on Accounting & Independent Auditing
05 July 2016
The plain text version of Marek's speech can be found below. Download the formatted version (PDF).
Director of Audit Policy
Financial Reporting Council
IBRACON 6th Brazilian Conference on Accounting and Independent Auditing
13 June 2016
Experience of Implementing Auditor Reporting in the UK
Thank you and good morning ladies and gentlemen.
I am very grateful for the opportunity to share with you the UK’s experience of extended auditor reporting. We are now in the third full year of reporting for our largest listed companies, with the prospect of a significant expansion across the full population of listed entities, and to other public interest entities, in the coming year. We think our experience provides valuable insights into the opportunities and challenges ahead – with revised IAASB auditor reporting standards about to come into effect (for periods ending on or after 15th December 2016) and the PCAOB recently proposing similar innovations in the United States.
As the UK regulator, the FRC made significant changes to corporate reporting and auditor reporting requirements in 2012 in order to ensure that users of financial statements were being provided with more transparent information. One of our aims was to encourage greater dialogue between the users and producers of corporate financial information in order to help underpin confidence in the quality of financial reporting and audit in the UK.
Our experience has been largely positive. When we surveyed auditor reporting in the first two years after our reforms we found that many auditors had made quite radical changes that went beyond our requirements. The information being provided was significantly different to what had come before, with a description of key audit matters, of the scope of the audit, of materiality and of the relationships between all three. Many auditors have worked hard to make this material meet the needs of users – avoiding the use of generic or unnecessary technical language; organising the reports to highlight key information; cutting down on boilerplate disclosures, and using graphics and colour to bring the reports to life. We have seen no obvious uplift in audit fees attributed to the new reporting framework, no disruption to the timetable for financial reporting and some preliminary academic analysis which suggests the market is building this information into economic decision making.
The work we have done with key stakeholders, including investors, tells us that these changes have been widely welcomed. Not only are auditor’s reports now providing better information about the nature of the audit process and of the key judgements being made, they also now offer a more useful independent perspective on the companies they audit.
However, even in the third year of implementation there are still opportunities for further improvement. Our sense, based on the discussions we have in the market, is that users are still learning how to fully decode some of the information presented in extended auditor’s reports, and would like more tailoring to meet their needs. There is a reluctance on the part of some auditors and some companies to innovate further in response to this feedback. Investors, and other users, tell us they would like better disclosures in financial statements about key management estimates, and more transparent disclosure by auditors of what are considered to be reasonable ranges, or the tolerances used in testing these estimates. Dialogue between auditors and users of financial statements on issues like these is still in its early stages – and this is a critical factor which may lead to further changes to auditor’s reports and the way they are used in the UK.
Let me first explain a little about the FRC because the unique nature and combination of our powers and responsibilities has enabled us to take some actions that other audit regulators in other countries would not be able to implement on their own.
The FRC is the UK’s financial reporting, auditing and actuarial standard setter; and we also set guidance for broader corporate reporting. We’re responsible for inspecting the quality of financial statements and annual reports issued by public interest entities and the quality of their audits. We also have powers to sanction poor audit work and misconduct. Last but not least, we set the UK Corporate Governance and Stewardship Codes. This breadth of responsibility enables us to build our standards on the experience we gain from our inspections of financial statements and audits, and from our professional discipline work. But it also enables us to combine our influence over corporate governance and corporate reporting – including the work of boards, and especially that of audit committees – with our regulation of auditors, to promote holistic solutions to corporate governance and reporting issues that include enhancing the role and quality of audit.
Our primary objective in relation to audit is to promote high quality audits. We want the value of high quality audit to accrue both exogenously – by enhancing public confidence in corporate reporting and governance – and endogenously – by engendering better governance and reporting behaviours within companies. We also seek to build justified confidence internationally in the UK regulatory framework for corporate governance and reporting, including across the EU and other major capital markets.
Our auditing standards are based closely on those of the IAASB (the ISAs) in almost all respects, and they have been since 2004, anticipating the adoption of the ISAs in Europe from 2016.
Before considering the specifics of extended auditor reporting, let me first put some context around the value of audit. The corporate governance and reporting framework underpins what we see as the privilege of limited liability that is granted to private companies by society. Audit is a key element of that framework and public confidence in corporate governance and reporting depends, in part, on public confidence and trust in the value of audit. But, as the financial crisis and many previous crises have shown, that trust is fragile and is quickly eroded when trust in governance and reporting is undermined. I suggest there are two key root causes of such fragility in public trust in audit.
First, audit is a very opaque product (a ‘black box’) from the perspective of its intended beneficiaries. Even those who understand the process map that is described by the auditing standards would know very little of substance about any particular audit if they were not insiders. That is because the essence of the audit is the professional judgments made by the auditor, at all stages of the audit, as a basis for their opinion. Those judgments, which must be made with objectivity and integrity and with a range of important competencies, are hidden from outsider view. Audit inspectors get an inside view of those judgments through the audit working papers and audit committees are exposed to them to some extent through communications with the auditor. An outsider may have access to the views of the inspectors or audit committee but otherwise what they see are the failures of audit.
Second, the audited entity appoints and pays the auditor; and auditors (at least in the private sector) are commercial organisations with motivations to make profit from their businesses. They are very often multi-service businesses that may well see the audited entity as a commercial target for their non-audit service offerings. Unchecked, such motivations create inherent conflicts of interest that may incentivise the auditor to compromise their integrity and objectivity in making audit judgments. These threats, whether or not the auditor succumbs to them, create a ready basis for distrust by outsider users, if and when audit failures come to light. This issue is exacerbated because users often do not understand the scope and design limitations of an audit. So what they perceive as audit failures may extend to circumstances that were not failures of the audit to deliver what it was designed to deliver. Even if users do fully understand the scope and design limitations of the audit, they may question the point of an audit if those limitations result in the audit failing to forewarn of, or prevent, a significant loss of value for them.
In effect, the system calls for ‘blind trust’ in auditors and in the effectiveness of their audit judgments because neither that effectiveness nor the integrity and objectivity of the auditor, can be perceived directly by the user. So, in developing measures to repair the damage to trust in audit sustained in the financial crisis, the FRC’s aim has been to focus on making the key audit judgments more transparent, on reducing the threats to objectivity and integrity and, recognising the interdependencies, on improving the quality of governance, reporting and audit in a holistic manner.
In overview, what were the drivers for the changes we made in 2012 and what did we hope to achieve? The stimulus for change in our arena, as in so many others, was the financial crisis. No great surprise there. In the immediate aftermath of the crisis we did not find that poor auditing was the root cause of the meltdown in the banking sector. However, we did become convinced that auditors should have done more to sound a warning bell about the level of risk being taken on by the banks. Investors were entitled to expect that auditors, boards and regulators would work together more effectively to identify, assess, mitigate and report on risk. And I will say that, based on our inspections, we were in no doubt about the need to lift the bar in terms of audit quality and there was a clear need to increase public confidence in the value that audits bring.
There had been criticisms by investors and other stakeholders that companies, particularly those in the financial sector, had provided inadequate or misleading corporate and financial reports in the run up to the 2008 financial crisis. Later, in the aftermath of the crisis, many also began to question ‘where were the auditors?’ in companies that had been given a clean bill of health and later collapsed. We wanted to reduce the likelihood that this message would be forgotten – as it had been after previous crises – by increasing transparency in directors’ reports on their activities, particularly their management of risk, as well as a greater emphasis on the role of Audit Committees in maintaining the integrity of financial reporting. A key proposal in relation to audit was that “confidence in corporate reporting should be reinforced by a more effective and transparent assurance regime that involves … a quality audit of the financial statements”.
We recognised that the effective exercise of professional judgment and professional scepticism is fundamental to the quality of every audit and is required at numerous stages during an audit. We thought that such scepticism would be enhanced by greater transparency, by making the judgments made by auditors more open to effective challenge by the Audit Committee and investors. Against this background, in 2012, we set about making changes:
· To enhance the quality of the information auditors shared with the audit committee;
· To extend corporate reporting about the work of the audit committee; and
· To take auditor reporting requirements beyond the largely binary auditor’s reports that had become the norm.
We wanted to make sure that the auditor’s report was worth reading, that it provided a platform of information about the audit that investors could use as a basis for engagement about the audit. If we could do this, we might start to close the expectation gap between what the public believes to be the job of the auditor and how it should be performed, and what the statutory responsibilities of the auditor are and how they are fulfilled in practice.
Our reforms were applied to the auditors of companies in the UK with a premium listing and to those who voluntarily complied with the UK corporate governance code. To an extent these reforms anticipated changes to international auditing standards and European regulation which have subsequently come into force. As a member of the European Union, we are subject to legislative changes both in the UK and at European level. You may be aware that a major review was conducted in Europe over a number of years with a view to enhancing the framework for statutory audits across the European Union. A new Audit Directive and Regulation were issued in 2014. In implementing the EU Audit Directive and Regulation, and adopting the various changes to the international auditing standards in 2016, we have broadened the scope of extended auditor reporting to cover all listed companies, public interest entities and those who voluntarily comply with the UK Corporate Governance Code.
The changes we made set three high level requirements, for the auditor’s report to provide an overview of:
- Those risks of material misstatement that were identified by the auditor, and which had the greatest effect on the audit strategy, resources required and the work of the engagement team (broadly equivalent to the current IAASB definition of ‘key audit matters’);
- The application of the concept of materiality; and
- The scope of the audit, including how it responded to the risks of material misstatement and the application of materiality.
It should be noted that by asking auditors to disclose information about materiality, and about the scope of the audit, our requirements go beyond the requirements of the recently revised ISAs and the requirements of ISA 701. We have made this choice because we believe that it provides the users of these reports with information about the nature of important auditor judgements, and about how these judgements impact the conduct of the audit.
Auditor judgment plays an important role in determining which matters are addressed and the extent to which the auditor should describe the matter, the impact on the audit and the auditor’s findings. We tend to favour judgment over consistency as we believe that a drive for consistency is more likely to exclude certain types of items. We have tried to convey to auditors the types of items that they should consider for disclosure through our enhanced requirements for auditor communication with audit committees and through specifying the requirements for auditors to address materiality, risks and audit scope. Ultimately we believe the objective must be to identify matters of relevance to users.
At the same time, audit committees were required to report to the board, and in their own reports in the annual report, the issues they considered in relation to the financial statements, including any key judgements made, the matters communicated to them by the auditor, their assessment of the effectiveness of the external audit and the approach taken to the appointment or reappointment of the external auditor.
The FRC has been pro-active in looking at the impact of the changes we made. After two full cycles of new style auditor reporting the evidence suggests that the innovative approach of audit practitioners has struck a chord with the users of this information – and particularly investors. The UK’s Investment Association has sponsored two annual awards which have identified best practice, and given recognition to the best reports. The evidence is that auditor reporting has integrated relatively seamlessly into the financial reporting calendar and – when reports are done well - has become one of the key elements of financial reports which the investment community looks at. We have seen no disruption of reporting timetables, and no evidence of an upwards spike in audit fees, reflecting the fact that auditors are being asked to describe and explain what they have done in the course of their audit rather than carry out additional costly work.
We have published two reviews of extended auditor reporting in the UK, with the aim to help communicate what has gone well, as well as areas of potentially further improvement from the perspective of investors and other key stakeholders. We want to see continued innovation rather than any move towards unnecessary conformity. This innovation must be driven by the interplay between the interests of investors, of audited entities and of the auditors themselves – to ensure that auditor’s reports meet the needs of users in a proportionate and cost effective way.
Overall we found
- Investors, firms and audited entities are all broadly in favour of extended auditor reporting;
- Over the two years, there was a clear trend away from the use of generic language by auditors to more entity specific (and therefore more informative) descriptions;
- The best reports are well structured and consider the needs of the user – particularly in the way they highlight and signpost key information. This includes, for example, prominent placing of the overall opinion, a logical flow of information and concise language;
- Some auditors included ‘findings’ in respect of key audit matters;
- Investors want more granularity about ranges in management estimates and results of audit testing;
- However one criticism has been that there was little analysis of changes, between first and second years, in the issues addressed
As far as the specific requirements of the auditing standards were concerned:
Key audit matters
Our definition of key audit matters is broadly consistent with the IAASB and with the PCAOB proposals for Critical Audit Matters. We have required auditors to describe those risks of material misstatement in the financial statements which have had the greatest significance in the audit, whether due to their impact on the strategy, resources deployed or in directing the engagement team’s efforts. We also required auditors to complement the description of issues set out in Audit Committee Reports and avoid duplication.
Auditors have typically reported between 4 and 5 risks in each auditor’s report, with a very strong correlation with those issues described by the Audit Committee. We have also found that auditors have moved away from generic risks – including those presumed risks of ‘management override of controls’ and ‘fraud in revenue recognition’ unless they have a direct relevance to the circumstances of the audit. Across all sectors the most frequently reported risks were in respect of Goodwill impairment, Tax, Revenue, Acquisitions/Disposals and Pensions.
We have found that over the course of the first two years, partly as a consequence of investor reaction in year one, auditors have been moving away from generic descriptions of those risks. They have been increasingly granular and informative by being increasingly specific in addressing the circumstances of the audited entity. However, investors have told us they would still like more information about the ranges used in management estimates and in audit testing. They consider this to be critical to their assessment of the robustness of the financial statements, and of the professional judgements made by auditors. They dislike the use of language which lacks precision – for example where auditors describe management estimates as “mildly” optimistic or talk about “significant downward adjustments” being made as a result of the audit, but do not say by how much those estimates were optimistic or by how much the financial statements were adjusted. Meeting these investor expectations may be an area of some challenge for auditors. How well could they communicate the implications of more precise information to investors? What might be the reactions and concerns of others, including the management and those charged with governance at the audited entities?
One of the most significant innovations in the UK in the first two years was the inclusion in a few reports of an explicit section describing “audit findings” in respect of each of the key audit matters. This was rolled out on a test basis by one particular audit firm, with an offer to their entire client base to produce a similar report in the second reporting cycle. Despite the very positive reaction of investors to these few early reports, there was actually relatively limited take-up in year two, with only 20% of the reports we surveyed containing audit findings. There are some indications that this is partly the result of a reluctance by the management or audit committees of some companies, who believe this information – particularly when it is about things that went wrong – to be too sensitive to leave to auditors to disclose.
Finally, investors told us they would also welcome a description of how things were changing in the risk landscape year on year. Why were certain issues deemed significant in the prior year but not included in the auditor’s report the following year? Why have new issues arisen? A clear characteristic of our findings in year two was that very few auditors provided any such analysis.
But the messages from Investors were clear. Those reports which addressed such changes were more likely to win The Investment Association prizes.
We require auditors of listed entities in the UK to explain how they applied the concept of materiality in both planning and performing the audit – including the threshold used for the audit of the financial statements as a whole. This goes beyond the requirements of the IAASB’s international auditing standards, and the proposals recently published by the PCAOB in the United States. Our approach to this aspect of reporting was not prescriptive, beyond the requirement to explain the application of materiality in the course of the audit, and of the overall threshold figure used. We did suggest additional content which auditors might consider – including for example performance materiality, how materiality was revised in the course of the audit and significant qualitative aspects.
What we found in the first two years was that many auditors put a great deal of thought and effort into how they presented materiality in their reports – and this was an area where there was significant use of graphical presentation to help users identify and consider the key aspects of judgement. Feedback from users, particularly investors, was broadly positive about how materiality was presented and explained. One significant feature of this information being in the public domain was that investors and analysts were able to look beyond single reports on individual companies and consider more broadly the different ways auditors set and applied materiality. Comparisons were now possible which highlighted areas of ‘good practice’ as well as areas where investors wanted better information and more explanation.
Overall we found that:
- Investors would like more explanation about the reasons for the materiality benchmark chosen, and the % applied
- Investors are sceptical about a methodology which “nearly always ends up at 5% of profit”
- Only one firm discloses performance materiality.
One area of focus was on which benchmark auditors selected, the percentage applied to derive materiality and the explanation of how that judgement was reached. We found that nearly 80% of the auditors in our sample used profit measures as the basis for materiality for the financial statements as a whole. There were slight differences in approach between the ‘big four’ firms in the UK – particularly about whether they used adjusted or unadjusted profit before tax. In some respects investors and others might have taken some comfort from the consistency of approach between different sets of auditors in aggregate. However, they have also expressed some concern that despite the auditing standards requiring the application of professional judgement, the threshold for materiality “nearly always ends up at 5% of profit”. This then must be the basis for further dialogue and engagement between the producers and consumers of extended auditor reporting, and places a particular focus on the quality of explanations about materiality judgements – particularly where we found that less than half of auditors gave any explanation at all even in the second year of reporting.
We also found that very few firms talked about the concept of performance materiality, which can provide an additional insight into the audit risk assessment process. There were various explanations provided for this, but the predominant one was that it was too technical a concept to convey to investors in these reports. Once again, it may be that investors and other stakeholders will provide the external market impetus for this approach to change and for even more transparent reporting.
The second aspect of the UK standards which differs from the IAASB and PCAOB is our requirement for auditors to “provide an overview of the scope of the audit, including an explanation of how such scope addressed the assessed risks of material misstatement disclosed….and was influenced by the auditor’s application of materiality.”
Once again we did not want to be prescriptive about content, because we were requiring auditors to provide an overview which helped explain the relationships between risk, materiality and scope, as well as a broad description of audit coverage. We suggested in application material that auditors might want to explain the coverage of revenue, total assets and profit before tax by different audit procedures; the impact of geographically dispersed business components on the audit or of the group structure including the extent of involvement with component auditors – and these were very common disclosures.
In both our surveys we found greater variety between audit firms, and even between audit partners, in this aspect of auditor reporting. This was particularly in respect of the extent and clarity of disclosures. Some firms adopted a standardised approach across their portfolio of audits, and included significant material about the coverage their audit achieved, and others provided high level context about the environment in which firms were operating which had impacted on audit scope, materiality and risk.
Investors have told us more could still be done, and particularly more information on the differentiation between full scope audit and other procedures. What exactly is meant by the ‘scope’ of audit work, and what is the impact on the assurance gained? Investors would also like to understand how group structure impacts on the audit, and would welcome commentary on quality control over international group audits.
We hope that further innovation will develop in this area from dialogue between investors, audit committees and auditors. We are also looking forward to the implementation of further new requirements in the current reporting season: for companies to report in the financial statements on the entity’s use of the going concern basis of accounting and whether there are material uncertainties that could cause doubt about the entity’s ability to continue to do so; for companies to report in the annual report on the entity’s longer term viability; and for auditors to report explicitly on these matters.
So, in conclusion, what lessons have we learned that might be helpful for those about to implement similar changes?
Firstly we, and more importantly auditors, are proud of the reforms that have been implemented, and of their evident success. Auditor’s reports are now undoubtedly more interesting to read. The fact that investors have instituted annual awards is one possibly surprising indicator of the impact they have had. The Reports have begun to open up the ‘black box’ of the audit, and to give a real insight into the professional judgements that were made. Auditor’s Reports have complemented corporate reporting improvements – with some evidence that their quality and innovation has led to more and better disclosure in Audit Committee Reporting. All of this adds to the sum of information available to the investor to take a critical view of management’s estimates, assumptions and judgements.
This has all been achieved with no indication of any disruption to the reporting timetable, or of any increase in audit fees. In respect of fees, some care may need to be taken when extrapolating from the UK experience, since our requirements have hitherto only applied to the premium listed sector. However, it remains true that what we have required auditors to do is – essentially – to describe and explain the work they have done in the course of an audit and in a way which is accessible to the primary users of financial statements and corporate reporting. It is not evident why this alone should lead to additional costs in any case.
We believe that our non-prescriptive approach helped drive innovation amongst auditors and avoid boilerplate disclosures. We limited our requirements to a few key aspects of the audit, and allowed auditors to apply judgement in the way these were disclosed and about the other information needed to make this comprehensible and useful to investors.
We also recognise that the availability of this new information about the audit, and of the significant issues, risks and judgements being considered cannot be an end in itself. Our ongoing outreach activity suggests that the investor community in the UK wants to have more and better engagement with auditors, and auditors want more and better engagement with investors. Nonetheless this is difficult to achieve in practice. The information in auditor’s reports and audit committee reports could be the basis for more informed engagement – an engagement which may help reduce the ‘expectation gap’ between those who deliver audit and those who use it.
The FRC has required that auditors provide greater transparency about their work, and the foundations of their opinion on the financial statements. We combined this with reforms that ensure that management and those charged with governance share responsibility for the quality of audit and financial reporting. However, even without the support of those additional corporate reporting reforms, the new form of audit report places a greater discipline and responsibility on the auditor – which can be used to ensure that the quality of audit can be challenged and improved. And there is generally nothing to stop companies from taking steps to increase their own transparency about the work of the audit committees or other governance bodies and about the issues they addressed, even if this is not mandated. Investors will still welcome it.
It is also important to remember that confidence in audit can only ultimately be maintained where the underlying quality of the work is robust. That means that the disclosures made by auditors in their reports must have a firm foundation in the work done and the quality of the audit files which document their work. If not, then the confidence gained can easily be lost or undermined.
This leads to the final ‘lesson learned’ that I would mention – which is about the critical importance of planning in the implementation of these changes. Best practice we have seen involved audit partners engaging early with the companies they audited, and with audit committees in particular. They integrated their approach to the audit report into the planning and delivery of the audit, and they included the whole engagement team in the process. This helped align expectations, and also helped ensure that what ended up in their reports reflected the audit being done. This approach helped embed the changes into a process which everyone involved understood and bought into.
I wish you good luck in implementing extended auditor reporting in Brazil and thank you for your attention.